Record-Breaking DDoS Attacks Target Major Web Companies
Major internet giants, including Google, Amazon, and Cloudflare, have recently fallen victim to the largest distributed denial-of-service (DDoS) attacks ever recorded. These unprecedented attacks have sent shockwaves throughout the tech industry, raising concerns about the vulnerability of the internet's infrastructure.
According to a blog post by Cloudflare, the company observed and repelled a massive DDoS attack in August, which surpassed the previous record set in February. The attack was three times larger in scale, with Cloudflare registering a peak of 201 million requests per second across its infrastructure.
Google's cloud infrastructure also faced a similar onslaught, with an attack rate nearly twice that of Cloudflare's. As reported by Google, the tech giant mitigated an attack in August that peaked at a staggering 398 million requests per second (RPS). To put this in perspective, an attack they faced in August 2022 peaked at 46 million RPS, equivalent to "receiving all the daily requests to Wikipedia in just 10 seconds."
A significant factor behind these large-scale attacks is a newly discovered vulnerability in the HTTP/2 protocol. This vulnerability, tracked as CVE-2023-44487, allows threat actors to flood websites with massive amounts of traffic, rendering them temporarily unavailable. The exploitation technique, known as the HTTP/2 Rapid Reset Attack, has been a cause for concern among cybersecurity experts.
Concerningly, these extremely large-scale DDoS attacks do not require a huge number of machines to create it. The botnet behind the attack consisted of only about 20,000 individual endpoints, yet it managed to cause significant disruption.
Amazon's Web Services (AWS) also witnessed a similar attack on their infrastructure. Senior Amazon security officials Tom Scholl and Mark Ryland, mentioned that between August 28 and August 29, 2023, they observed an attack peaking at over 155 million requests per second.
In response to these threats, major tech companies have collaborated to share technical details and develop mitigation strategies. They have urged providers using the HTTP/2 protocol to assess vulnerabilities and apply security patches promptly.
Cloudflare's Chief Information Security Officer, Grant Bourzikas, emphasized the seriousness of the situation in a separate blog post, recommending that companies treat this exploit with utmost priority. He advised network security managers to understand their external connectivity, ensure DDoS protection lies outside their data center, and deploy patches across all internet-facing web servers.