Researchers disclosed a new zero-day DDoS attack technique, called ‘HTTP/2 Rapid Reset’, that was exploited since August 2023 in record-breaking attacks. These attacks have been observed on Amazon Web Services (AWS), Cloudflare and Google.
The attack peaked at 155 million requests per second (Amazon), 201 million rps (Cloudflare), and a record-breaking 398 million rps (Google).
The attack method abuses HTTP/2’s stream cancellation feature to continuously send and cancel requests, overwhelming the target server or application and imposing a DoS state.
The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled, by sending a RST_STREAM frame. The protocol allows the client to unilaterally request a cancelation. It “makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open”, continues the Google post. This can be mitigated by having entire TCP connection needs to closed when abuse is detected.
Amazon Web Services (AWS), Cloudflare and Google said on October 10, 2023 they took steps to mitigate these record-breaking Distributed Denial-of-Service (DDoS) attacks
Read more about it here.