HTTP/2 zero-day vulnerability (CVE-2023-44487) triggered the largest denial of service attack in history

Recently, Google announced the HTTP/2 protocol vulnerability CVE-2023-44487.
Attackers can use this vulnerability to launch low-cost and very large-scale attacks (http2-rapid-reset-ddos-attack). Attackers used this method to launch attacks on Google Cloud Platform customers starting in August. In one attack, the attacker issued up to 398 million requests in 1 second, which is also the highest number of requests per second on record. an attack.

From August 28 to 29, Amazon Web Services, Cloudflare, and Google Cloud independently observed DDoS flood attacks, in which multiple waves of traffic occurred, each lasting only a few minutes. The attack targets cloud and network infrastructure providers. Unknown perpetrators are behind the incident, but it is clear that they exploited a vulnerability in the HTTP/2 protocol, tracked as CVE-2023-44487, which is of high severity. The CVSS score is 7.5 out of 10. This incident is called a "HTTP/2 Rapid Reset" zero-day attack.

According to Cloudflare, HTTP/2 is fundamental to how the internet and most websites operate. HTTP/2 is responsible for how the browser interacts with the website, allowing the browser to quickly "request" to view content such as images and text, and can do it all in one go, no matter how complex the website is.

Cloudflare said the HTTP/2 fast reset attack technique involves making hundreds of thousands of HTTP/2 requests at once and then immediately canceling them. Cloudflare's October 10 advisory on rapid reset attacks explains that by automating this "request, cancel, request, cancel" pattern at scale, threat actors can overwhelm websites and enable anyone using HTTP/2 The website is offline.

The HTTP/2 protocol is used in approximately 60% web applications. It is understood that Cloudflare received more than 201 million requests per second (rps) during the peak period of activity in August. Cloudflare said some organizations are seeing higher request numbers when taking mitigation measures. The peak of DDoS attacks in 2022 was 71 million rps, and the 201 million rps received by Cloudflare was three times that of last year.

At the same time, Google observed a peak of 398 million rps, seven and a half times the previous attack on its resources; AWS detected a peak of more than 155 million rps against the Amazon CloudFront service.

In its post, Google noted that to put the scale into perspective, the two-minute attack generated more requests than the total number of article views reported by Wikipedia for the entire month of September.

Quick reset is not only a powerful weapon, but an efficient one as well. AWS, Cloudflare and Google work with other cloud, DDoS security and infrastructure providers to minimize the impact of rapid reset attacks, primarily through load balancing and other edge strategies. But that doesn't mean the network is protected. Many organizations remain vulnerable to attack vectors and will need to proactively patch HTTP/2 to stay safe from threats.

Cloudflare stated that this incident represents an important evolution in the DDoS attack landscape and is also the largest scale observed so far. The company believes that for a relatively small botnet to output such a high volume of requests, it has the potential to bring down almost any server or application that supports HTTP/2, highlighting the vulnerability of CVE-2023-44487 to unprotected How big of a threat is the Internet?

So far, HTTP/2 fast reset attacks have not had the significant impact that the cyber attackers behind them hoped. This attack technique needs to be paid close attention to, because DDoS attacks remain one of the favorite tools of cyber attackers. , and they will only become more powerful and complex over time.

conservation advice
For businesses and individual users, the most effective protection methods are updates and patches. When a vendor releases a patch, it should be applied immediately. Cloud service providers and network infrastructure vendors have begun releasing patches for vulnerabilities in the HTTP/2 protocol. If your business uses these services, make sure you have applied these patches.

In addition, companies are advised to:

Keep your network and systems secure. This includes regularly updating and upgrading hardware and software to minimize the chance of attack.

Use DDoS defense tools. These tools can help you monitor network traffic and provide alerts when unusual activity is detected.

Build a strong safety culture. Educating employees to recognize and prevent cyber attacks is essential, including how to deal with spam and identify phishing attacks.

Use a multi-layered security strategy in your network. This includes the use of firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS) and other security measures.

For individual users, you can:

Keep your equipment updated. Make sure the software on your computers, smartphones and other devices is up to date to reduce your chances of being attacked.

Install anti-virus software. This can help you detect and block malware.

Don't click on links from unknown sources. These links may lead to the download of malware.

Use strong passwords and change them regularly. This can help preventhackerGet your information by guessing your password.

In the future, we can expect DDoS attacks to continue to evolve, but with continued education and preventive measures, we can protect ourselves from these threats.

Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/h2-zero-day-vulnerability-cve-2023-44487-html

Like (1)
Previous October 9, 2023 12:00 pm
Next October 30, 2023 7:00 am

related suggestion