Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely adopted HTTP/2 protocol.

In short, the techniques involves the ability to open a batch of streams and cancel the streams immediately allowing for an HTTP/2 connection to have an indefinite number of requests, further enabling threat actors to overwhelm targeted servers and applications. This “rapid reset” effectively takes down websites and other internet services. To provide a magnitude of the attack strength generated by this technique, Google reported that a two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023.

The susceptibility of this new technique is being tracked as CVE-2023-44497, which received a CVSS score of 7.5/10, indicating a high level of severity. The implications for the attack vector are severe considering that any enterprise or individual serving an HTTP-based workload to the internet is at the potential risk of being targeted. According to W3Techs, 35.6% of all websites use HTTP/2 protocol, leaving many web applications and services susceptible. As such it is imperative for organizations running servers that support HTTP/2 to ensure that they are not vulnerable and apply patches issued for CVE-2023-44497 from the relevant vendor when available.

While defending against DDoS attacks can be challenging, organizations should implement load balancers and limit internet access to web applications to reduce potential impact. Likewise, utilizing web application firewalls can be used to block unwanted traffic and IP addresses and ranges that are deemed malicious. To defend against potential “Rapid reset” attacks, organizations can also create custom rules to automatically block and rate-limit HTTPS attacks from known signatures.

(Google) Mitigations for this attack vector can take multiple forms, but mostly center around tracking connection statistics and using various signals and business logic to determine how useful each connection is. To mitigate against the non-cancelling variant of this attack, Google recommend that HTTP/2 servers should close connections that exceed the concurrent stream limit. This can be either immediately or after some small number of repeat offenses. For more, visit Google.