Internet infrastructure providers Google Cloud, Cloudflare, Microsoft and Amazon Web Services have reported a DDoS (distributed-denial-of-service) attack that was seven times larger than the previous record-breaking attack in 2022.
The attacks took place in October and the origins were traced back to August. They were part of a mass exploit of a zero-day vulnerability.
2023 has seen an onslaught of DDsS attacks. In the first half of 2023 alone, there were 7.9 million DDoS attacks globally, according to Netscout, and 969,636 in the United StatesThat equals around 44,000 attacks occurring each day. This alarming statistic represents a 31 percent increase compared to the same period in 2022.
These attacks lasted, on average, 1,443 minutes, which translates to nearly 24 hours of disruption. This level of persistence demonstrates the severity of the problem and its potential impact on businesses and services.
Google published a blog detailing the attack, revealing that it was the largest DDoS attack “to date,” the requests per second (rps) peaking at over 398 million, making it seven and a half times larger than the previous record-breaking DDoS attack. Google noted that 398 million rps is equivalent to “more requests than the total number of article views reported by Wikipedia during the entire month of September 2023.”
Dubbed “HTTP/2 Rapid Reset, the vulnerability can only be exploited for denial of service—it doesn’t allow attackers to remotely take over a server or exfiltrate data. Still, this is problematic because availability is vital for access to any digital service, from critical infrastructure to crucial information.
Though the string of recent DDoS attacks on Google, Cloudflare, Microsoft, and Amazon raised the alarm for being so large, the companies were ultimately able to repel the attacks, and avoid lasting damage. But just by successfully carrying out the assaults, hackers revealed the existence of the protocol vulnerability and how it could be exploited—a cause and effect known in the security community as “burning a zero day.”
How can companies prepare for DDoS attacks?
- Ensure networks are secure.
- Routers should be password-protected.
- Passwords should not be stored on web browsers.
- Use a password management utility to create strong multiple passwords.
- Make sure malware and virus protection software are updated regularly.
- Protect IoT devices with strong passwords and disable service on those devices when they are not needed.
All providers who have HTTP/2 services should assess their exposure to this issue and check for software patches and updates for common web servers and programming languages.
