💡
Update 2024: the next HTTP/2 Protocol attack had been published, called HTTP/2 Continuation Flood, see our article on that issue

Recently Cloudflare, Google and Amazon published information on a DDoS-Zero-Day that has been seen in the wild since summer and that leads to immense attackrates. It goes by the Name "HTTP/2 RapidReset" and has even a CVE attached, CVE-2023-44487.

If you havent heard of this attackmode, you will find all details in the linklist below, but a short TL;DR:

💡
"The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately." (Google)

(c) copyright Google / SRC: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack?hl=en

We measured the attack-potential of the new RapidReset-Attack vs established vectors and compared it to the Firepower (RPS, Requests/Second) of IoT - Bots. We used a small Botnet and our well beloved target, aka zeroBS Webserver. Ordered attackrate, threads etc has always been the same. As you can see in the charts below, the attackrate of HTTP/2 RapidReset is remarkable higher that HTTP/2 Multiplexing.

What is also notable: the Trafficpattern differs totally between HTTP/2 Multiplexing and HTTP/2 RapidReset.

Request/second per Bot, AVG, for different attackmethods

Requests/Second Factor,for different attackmethods, compared to IoT (100%)

Total RPS measured during the Test, chart by zeroBS

Traffic and PPS measured during the Test, chart by zeroBS

References on HTTP/2 RapidReset, CVE-2023-4448

Advisories

POCs

Alerts

Technical breakdown

Affected

Not Affected