Technology companies Google, Microsoft, Amazon and Cloudflare have joined forces to mitigate the largest denial of service (DDoS) attack known to date, which could have been carried out due to a zero-day vulnerability in the HTTP/2 protocol. that they use in their infrastructures.
A DDoS attack occurs when a group of users or automation attacks a server or computer from many computers at the same time. Due to its data flow nature, the system crashes and stops working because it has no capacity to process incoming requests.
These types of attacks can have a wide scope in organizations that are victims of cybercriminals, such as the loss of information or the interruption of mission-critical applications, those that must function constantly for the company to function.
Technology giants such as Google, Microsoft, Amazon and Cloudflare have joined forces to curb the impact of what is considered the largest DDoS attack recorded so far, which is tracked as CVE-2023-44487 and has been rated as high severity with a CVSS score. 7.5 out of 10, according to metrics from the US Government's National Vulnerabilities Database (NVD).
This DDoS attack, aimed at Layer 7 or the application layer of the protocol, was based on an HTTP/2 fast restart technique focused on multiplexing, that is, sending different signals over a single transmission medium. in order to collapse the system.
More specifically, cybercriminals took advantage of a zero-day vulnerability in this protocol to use the Fast Restart technique with which they made thousands of requests simultaneously and canceled them immediately. Thus, they overwhelmed the systems and blocked access to the target web pages or applications.
Each of the companies affected by this massive DDoS attack has explained how it has faced this wave of DDoS, which was detected at the end of last August, as well as the measures that its clients should implement to avoid damage to their infrastructure.
Google, for its part, has acknowledged in its blog that in recent years its DDoS response team has seen the number of this type of attacks increase "exponentially", but that it was in August when it determined that it was facing the largest those registered so far.
This, which reached a maximum of 398 million requests per second (rps) on its systems - seven times more than any attack of this type recorded before - also used new techniques to disrupt websites and other internet services.
The American firm has commented that it applied additional mitigation strategies and coordinated responses with other cloud providers and software maintenance systems to nullify the actions.
So, it shared all the information it had about the attack with other companies and explained the methodologies in real time while these attacks were happening. With this, he updated his proxy servers and DDoS defense systems.
Google has also insisted that any service or application that supports HTTP/2 is susceptible to attack and that a patch developed by the various vendors should be applied when available.
With this, you have remembered that this attack is still active and that you have services such as Cloud Armor or Application Load Balancer to protect your software and applications susceptible to these attacks.
Cloudflare, for its part, has commented that the peak of this campaign registered more than 201 million requests per second. Thus, it has indicated that it addressed this vulnerability with technology specifically designed to automatically block any attack.
Amazon has recognized that between August 28 and 29, 2023, Amazon Web Services reached a maximum of more than 155 million requests per second. To mitigate its reach, it employed services like Amazon CloudFront and AWS Shield, which "were able to protect the availability of its applications."
Finally, Microsoft has clarified that its industry partners notified it of this problem in September 2023, at which time it "quickly opened an investigation" and subsequently began working with them to solve the problem.
Created mitigations for IIS (HTTP.sys), .NET (Krestel) and Windows, which are part of Microsoft's security updates released this Tuesday. With this, it has clarified that although this DDos can affect the availability of the service, "by itself it does not compromise customer data" and that so far it has not seen evidence that its users' data has been compromised.
To protect services from this attack, Microsoft recommends using updated web applications with security patches that mitigate CVE-2023-44487, as well as restricting internet access to your web applications whenever possible and enabling tools such as Azure Web Application Firewall (WAF).
