Pierluigi Paganini October 26, 2023

Cloudflare mitigated thousands of hyper-volumetric HTTP distributed denial-of-service (DDoS) attacks exploiting the flaw HTTP/2 Rapid Reset.

Cloudflare DDoS threat report of 2023 states that the company has mitigated thousands of hyper-volumetric HTTP distributed denial-of-service attacks.

89 of the attacks mitigated by the company exceeded 100 million requests per second (rps), the largest attack peaked at 201 million rps, which is three times higher than the previous largest attack on record (71M rps). These attacks exploited the HTTP/2 Rapid Reset vulnerability (CVE-2023-44487).

“The campaign contributed to an overall increase of 65% in HTTP DDoS attack traffic in Q3 compared to the previous quarter. Similarly, L3/4 DDoS attacks also increased by 14% alongside numerous attacks in the terabit-per-second range — the largest peaked at 2.6 Tbps.” reads the report published by the company.

The frequency of HTTP DDoS attacks in Q3 rose by 15% compared to Q2. The researchers reported that, in the current quarter, this trend intensified significantly. In Q2, the volume of attacks increased 65% compared to the previous quarter, the researchers reported a total of 8.9 trillion HTTP DDoS requests automatically detected and mitigated by Cloudflare infrastructure.

The botnets used to launch the attacks leverage cloud computing platforms and exploit HTTP/2, they were able to generate up to x5,000 more force per botnet node. This amplification factor allows a small botnet ranging 5-20 thousand nodes to launch hyper-volumetric DDoS attacks.

According to the report, the analysis of the two-month-long DDoS campaign revealed that Cloudflare infrastructure was the main target of the attacks. 19% of all attacks targeted Cloudflare websites and infrastructure, 18% targeted Gaming companies, and 10% targeted well-known VoIP providers.

The top sources of the attacks are the U.S., China, Brazil, Germany, and Indonesia.

The U.S., Singapore, China, Vietnam, and Canada are the main targets of HTTP DDoS attacks.

The top attacked industries by HTTP DDoS attacks are the Gaming and Gambling industry and Cryptocurrency industry.

“Aside from the most common attack vectors, we also saw significant increases in lesser known attack vectors. These tend to be very volatile as threat actors try to “reduce, reuse and recycle” older attack vectors. These tend to be UDP-based protocols that can be exploited to launch amplification and reflection DDoS attacks.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Cloudflare)