In recent times, Google’s various services alongside its Cloud clientele fell under the radar of an innovative DDoS attack, leveraging the HTTP/2 protocol, with the crescendo of these attacks being witnessed in August. Surpassing previous records, these Layer 7 attacks scaled new heights with one such assault peaking at a staggering 398 million requests per second.
Thanks to Google’s robust global load-balancing infrastructure, the onslaught was primarily halted at the network’s perimeter, ensuring no service outages ensued. Though the repercussions were on the lower side, the episode didn’t go unnoticed. The Google DDoS Response Team meticulously reviewed the attack patterns and fortified the existing defense mechanisms to fend off similar future incursions. Besides bolstering internal security measures, a collaborative disclosure initiative was spearheaded alongside industry counterparts to tackle this newfound HTTP/2 threat on a broader spectrum.
The ensuing discussion unfolds the evolution of Layer 7 attacks, shedding light on the metamorphosis that made the recent attacks overwhelmingly larger, and explores mitigation blueprints believed to be efficacious against such adversarial schemes. The discourse is lensed through the prism of a reverse proxy setup, an architecture where HTTP requests are intercepted and redirected by a reverse proxy to other services. Although tailored to this specific setup, the principles discussed herein are equally applicable to HTTP servers embedded within application servers, albeit with slight nuances that could potentially steer towards varying mitigation plans.
HTTP/2: A Double-Edged Sword for DDoS
Post 2021, a sweeping majority of Layer 7 DDoS attacks targeting Google’s proprietary services have been orchestrated using HTTP/2, both in terms of attack frequency and peak request rates. HTTP/2, designed with efficiency at its core, has inadvertently become a boon for DDoS assailants. The very features that amplify HTTP/2’s efficiency for legitimate users have morphed into tools for orchestrating more potent DDoS attacks.
HTTP/2’s hallmark is “stream multiplexing” – a mechanism that optimizes TCP connection usage by allowing multiple “streams” (bidirectional channels for message exchange) to function concurrently. This feature, which significantly elevates the rate of in-flight requests without the hassle of managing numerous connections, becomes a leverage point for attackers.
In the realm of Layer 7 DoS attacks, one of the primary hurdles for assailants is the number of simultaneous transport connections. Each connection incurs costs, encompassing memory allocation for socket records and buffers, CPU cycles for TLS handshakes, and unique four-tuple requirements, which limit the number of concurrent connections between two IP addresses.
Contrastingly, HTTP/2 facilitates the initiation of multiple concurrent streams over a single TCP connection, with each stream representing an HTTP request. Though theoretically, the server can control the maximum number of concurrent open streams, practical scenarios often see clients spawning up to 100 streams per request, processed in parallel by servers.
The HTTP/2 ‘Rapid Reset’ Onslaught
The HTTP/2 protocol accords clients the ability to signal server-side stream cancellation via a RST_STREAM frame, sans any obligatory coordination. Dubbed the ‘Rapid Reset’ attack, this strategy exploits the protocol’s provision for clients to promptly send a RST_STREAM frame post request frame dispatch, tricking the server into initiating request processing only to have it abruptly halted, albeit without closing the HTTP/2 connection.
The ‘Rapid Reset’ attack is orchestrated by opening a multitude of streams akin to a standard HTTP/2 attack, but with a twist – instead of awaiting server or proxy responses to each request stream, every request is instantaneously cancelled by the client.
This modus operandi allows for an indefinite number of in-flight requests per connection, with the explicit cancellation ensuring that the concurrent open streams limit is never breached. The server, however, is still burdened with processing overhead for the cancelled requests, creating an exploitable cost disparity between server and client.
Variants of the ‘Rapid Reset’ Attack
Subsequent to the initial wave of attacks, several ‘Rapid Reset’ variants emerged, albeit not as potent as the original. These offshoots, while not maximizing connection utilization, still displayed higher efficiency compared to conventional HTTP/2 DDoS attacks.
Mitigation Strategies: A Multilayered Approach
Simple request blocking isn’t perceived as a viable solution against such attacks. Instead, a more stringent measure such as closing the entire TCP connection upon detection of malicious activity is advocated. Although HTTP/2 supports connection closure via the GOAWAY frame type, typical implementations often lack robustness against malicious clients. Hence, an immediate stream creation limit imposition via the GOAWAY frame is recommended to curb inbound requests effectively.
Identifying abusive connections forms the crux of the mitigation effort. Despite the legitimate use of request cancellation in HTTP/2 protocol, a connection exhibiting excessive request cancellations could be earmarked for mitigation action. The nature and severity of the response would hinge on the risk profile of each platform, ranging from assertive GOAWAY frames to outright TCP connection termination.
For thwarting the non-cancelling variant, it’s advised that HTTP/2 servers should terminate connections that overshoot the concurrent stream limit, either instantly or post a few recurrent transgressions.
Protocol-Specific Applicability
The threat vectors discussed herein don’t port directly to HTTP/3 (QUIC) due to inherent protocol variances. Currently, HTTP/3 hasn’t been observed as a DDoS vector at scale by Google. Nonetheless, it’s prudent for HTTP/3 server implementations to proactively embed mechanisms to curtail the workload imposed by a single transport connection, akin to the HTTP/2 countermeasures elucidated above.
Industry-Wide Cooperation
Early in the investigation phase, in sync with industry allies, it was recognized that the newfound attack modality could have widespread implications across entities employing the HTTP/2 protocol. Google played a pivotal role in orchestrating a coordinated vulnerability disclosure drive, leveraging a pre-existing collaborative group, a conduit used for several past initiatives.
This collaborative endeavor primarily aimed at alerting large-scale HTTP/2 implementers, encompassing infrastructure entities and server software providers, to devise and ready mitigations for a coordinated rollout. The collaborative spirit fostered herein has historically enabled the broad-spectrum activation of protective measures for service providers or facilitated software updates for a myriad of packages and solutions.
In the course of this disclosure initiative, the identifier CVE-2023-44487 was earmarked to track fixes across various HTTP/2 implementations.
Looking Ahead
The emergence of the HTTP/2 Rapid Reset DDoS attack has underscored the ever-evolving nature of cybersecurity threats. The adept exploitation of HTTP/2’s efficiency-centric features to orchestrate potent DDoS attacks lays bare an urgent need for adaptive and robust security measures. This incident reinforces the crucial understanding that the very innovations aimed at enhancing web performance and user experience can be twisted into formidable tools in the hands of adversaries.
Prevention and mitigation against such sophisticated attacks necessitate a multi-pronged approach. Here are several avenues that could be explored to fortify defenses against similar future threats:
- Protocol Enhancements:
- Future iterations of HTTP protocols could be designed with built-in security measures to thwart such exploitation right from the get-go.
- Inculcating better control mechanisms over stream multiplexing and request cancellations could be instrumental in curbing such attack vectors.
- Real-Time Monitoring and Analytics:
- Employing advanced real-time monitoring and analytics to promptly detect anomalous behaviors and respond to potential threats could be a game-changer.
- Machine learning and AI-driven analytics could play a pivotal role in identifying and mitigating novel attack vectors swiftly.
- Collaborative Security Frameworks:
- The collaborative disclosure initiative led by Google exemplifies the power of industry-wide collaboration.
- Establishing standardized frameworks for shared threat intelligence and coordinated response could significantly enhance collective security posture.
- Enhanced Mitigation Strategies:
- Developing and implementing adaptive mitigation strategies that can evolve with changing threat landscapes is imperative.
- This includes not only technical solutions but also proactive threat hunting and regular security auditing to identify and rectify vulnerabilities before they are exploited.
- Education and Awareness:
- Building awareness and educating stakeholders about potential threats and best practices is foundational for fostering a culture of security.
- This extends to educating developers on secure coding practices to prevent inadvertent protocol or application vulnerabilities.
- Legislative and Regulatory Measures:
- Encouraging the adoption of stringent cybersecurity standards through legislative and regulatory frameworks could drive a higher level of preparedness and responsiveness among organizations.
- Vendor and Third-Party Security Assurance:
- Ensuring security assurance from vendors and third-party service providers is crucial as the chain is only as strong as its weakest link.
- Investing in Cybersecurity Infrastructure:
- Sufficient investments in cybersecurity infrastructure and the adoption of modern security technologies are critical for building resilient systems capable of withstanding evolving threats.
- Continuous Research and Development:
- Fostering a continuous R&D culture to stay ahead of potential threats and developing preemptive security measures is essential.
- Global Cybersecurity Alliances:
- Forming global cybersecurity alliances can help in sharing critical threat intelligence, and coordinating on creating international cybersecurity standards and protocols.
In conclusion, the HTTP/2 Rapid Reset DDoS attack is a stark reminder of the relentless innovation in adversarial tactics. It beckons a synergistic approach encompassing protocol enhancements, collaborative security frameworks, advanced real-time monitoring, and a persistent commitment to cybersecurity education and investment. Only through such a holistic approach can the digital realm hope to stay a step ahead of malevolent actors and assure a secure and resilient cyber ecosystem for the future.
