Businesses running core operations on cloud platforms have been targeted by record-setting distributed denial of service (DDoS) attacks made possible by a novel attack technique that weaponises HTTP/2, a core Internet protocol that was designed to help websites load faster.

Cloud services platforms including Google, Amazon Web Services (AWS) and Cloudflare have all reported customers being hit by the ‘HTTP/2 Rapid Reset’ attack, which succeeded in pummelling victims with DDoS attacks of 398 million requests per second (rps), 155 million rps, and 201 million rps, respectively.

Those figures eclipsed previous records for the attacks, which – as infamously happened to Australia’s 2016 Census – abuse common Internet protocols to flood victims with so much traffic that their websites and online services become unavailable to legitimate users.

Such HTTP flood attacks are tricky to protect against because they use otherwise legitimate protocols that are fundamental to the Internet’s operation – but overwhelm targets when attackers co-ordinate attacks from armies of compromised systems simultaneously.

In this case, HTTP/2 – a protocol that improves website performance by enabling a web browser to request and load many parts of a website at the same time – was abused by manipulating a feature that allows a web browser to cancel its request for data.

Such requests can optimise website performance – for example, by stopping the download of unnecessary content, such as images that have scrolled offscreen – but the new attack abuses this by sending what Cloudflare systems engineers Lucas Pardue and Julien Desgats called “an enormous chain of requests and resets at the start of a connection.”

“Servers eagerly read them all and create stress on the upstream servers to the point of being unable to process any new incoming request,” they said, noting that the cloud provider had initially seen “some impact to customer traffic” until its built-in DDoS defences kicked in.

“Because the attack abuses an underlying weakness in the HTTP/2 protocol,” they wrote, “we believe any vendor that has implemented HTTP/2 will be subject to the attack [including] every modern web server.”

Update your DDoS protections

The HTTP/2 Rapid Reset technique – whose efficacy was called “astonishing” by Qualys Threat Research Unit product manager Saeed Abbasi in warning that “botnets can generate massive request rates, posing a severe threat to targeted web infrastructures” – was observed being used in real-world attacks between August and October.

Although the Australian Cyber Security Centre (ACSC) has so far remained mum about the HTTP/2 compromise, its potentially significant impact on victim networks drove the US Cybersecurity & Infrastructure Security Agency (CISA) to issue an advisory about the threat as cloud and Internet infrastructure companies moved to respond.

Microsoft, for its part, issued patches for Windows and its core Internet servers while urging customers to implement web application firewalls to protect against DDoS attacks.

Google, AWS and Cloudflare – which coordinated the public announcement of the attack – have updated their systems to identify and block it, advising customers to also review their use of HTTP/2 and contact web server vendors for updates.

“As we work to defend our infrastructure and your data, we look for ways to help protect you automatically,” noted AWS director of security Mark Ryland. “Whenever possible [we] disrupt threats where that action will be most impactful; often, this work happens largely behind the scenes.”

Yet with the new attack tactic already proving effective in the wild, its inherent scalability had network specialists sitting up and taking notice: the record-setting attacks were created with a botnet that had just 20,000 compromised machines, which Pardue and Desgats called “concerning” given that malicious botnets often include thousands or millions of machines.

“Given that the entire web typically sees only between 1-3 billion rps,” they wrote, “it’s not inconceivable that using this method could focus an entire web’s worth of requests on a small number of targets.”