Google Warns of Flaw That Can Launch Record-Breaking DDoS Attacks
Hackers have uncovered a new flaw in an HTTP network protocol that can be exploited to launch record-breaking DDoS attacks, according to Google.
In August, Google fended off a DDoS attack that leveraged the flaw, which generated 398 million requests per second (rps) during its peak. To put that in perspective, the attack was about eight times larger than the 46 million HTTP-based DDoS attack that the company fended off a year ago.
Google added: “For a sense of scale, this two minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023.”
The magnitude of the attack was exponentially higher due to a vulnerability in the HTTP/2 protocol, which was introduced in 2015. The protocol was designed to let internet connections efficiently open multiple data streams —including up to 100 streams— all at one time.
The problem is that this same “concurrent stream” feature can be abused to amplify DDoS attacks, which are designed to overload a server with too much traffic, knocking them offline. The threat occurs if a computer opens numerous streams over the HTTP/2 protocol only to then cancel them. The computer will assume the cancellation took effect immediately, but the server still needs to process the request.
“The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight,” Google says. “By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams.”
The result can allow an attacker to generate waves of traffic while the server catches up trying to resolve the requests. “Unfortunately the features that make HTTP/2 more efficient for
Read more on pcmag.com
