A sad and scary new record was set this past week, with the latest and biggest distributed denial-of-service attack.

The network security provider Cloudflare Inc. posted on its blog today that it had observed and repelled the attack in August. The previous volumetric record was set in February, the August attack was three times as much.

What is especially depressing about this latest DDoS attack was how few machines were needed to create it. Like the February attack, it was abusing the same HTTP/2 protocol, and the botnet was about 20,000 individual endpoints.

Cloudflare observed a peak of 201 million requests per second across its infrastructure. Google’s cloud saw a peak of nearly twice that, according to its blog post. This rate is about 10% to 20% of typical total web transactions, which is a staggering amount.

“This was a novel attack vector at an unprecedented scale. It’s not inconceivable that using this method could focus an entire web’s worth of requests on a small number of targets,” Cloudflare analysts said. Amazon’s Web Services Inc. was also witness to this attack across their infrastructure and involved in the mitigation coordination.

The HTTP/2 protocol is the preferred one in use in most modern web servers, and this latest abuse – dubbed rapid reset — has been disclosed to the major web server vendors, which will most likely implement future patches. It involves sending a request to a web server and then immediately cancelling it, repeated rapidly and without waiting for the request to be satisfied (pictured in thhe accompanying network traffic illustration).

These large-scale DDoS attacks have been seen with increasing frequency by various analysts. “Since the end of August 2023, Cloudflare has mitigated more than 1,100 other attacks with over 10 million requests per second (rps) — and 184 attacks that were greater than our previous DDoS record of 71 million rps,” its analysts said. That’s to be expected, since the bad guys are always looking for ways to amplify traffic — the not-so-secret sauce of DDoS — and the rapid reset does this quite effectively and efficiently.

What is most troubling is the relative size of the botnets involved in the August and February attacks. Cloduflare, Google and other large internet installations regularly detect botnets that are composed of hundreds of thousands of endpoints. The smallish size of these new rapid reset attacks means this vector will most likely be exploited in future exploits.

“We may find different variants to rapid reset with even shorter exploit cycles that contain even more advanced bypasses,” Cloudflare Chief Information Security Officer Grant Bourzikas wrote in a separate blog post. Google’s blog post documents a few of them that they have observed.

Both Microsoft and F5 posted details about rapid reset attacks and suggested mitigation measures.

Bourzikas recommends treating this exploit very seriously, and turning to “incident management, patching and evolving your security protections into ongoing processes — because the patches for each variant of a vulnerability reduce your risk, but they don’t eliminate it.” He posted a series of recommendations for network security managers:

• Understand your external and partner network’s external connectivity to remediate any Internet facing systems.
• Understand your existing security protection and capabilities you have to protect, detect and respond to an attack.
• Ensure your DDoS protection resides outside of your data center. Although this is somewhat self-serving, since Cloudflare sells this service, it is a useful mindset to have, especially if an attack can reach a data center.
• Ensure web server and operating system patches are deployed across all internet facing web servers.

Images: Markusspiske/Pixabay, Google