Tech giants Alphabet, Amazon, and Cloudflare said they fended off the internet’s biggest-known denial of service attack in August and are sounding an alert over an emerging disruptive technique.
In a blog post, Google parent Alphabet said the most recent distributed denial-of-service (DDoS) attack was extremely fast, sending 398 million fake visits in just one second, and used a new trick to try to break websites. In a DDoS attack, the attacker clogs up a website with fake visits to crash the portal.
The attacker in the latest assault deployed a new “Rapid Reset” technique based on HTTP/2 stream multiplexing, Google said.
To put the scale of this attack in perspective, the two-minute onslaught generated more requests than all the article views Wikipedia reported for the entire month of September, it said.
Amazon arm Amazon Web Services (AWS) also confirmed that it countered “a new type of DDoS event” between 28-29 August that continued into September.
“Over those two days, AWS observed and mitigated over a dozen HTTP/2 rapid reset events, and through the month of September, continued to see this new type of HTTP/2 request flood,” AWS said.
Explaining how the exploit works, web performance and security firm Cloudflare said HTTP/2 is responsible for how browsers interact with a website, allowing them to ‘request’ to view things such as images and text quickly, and all at once no matter how complex the website.
“This new attack works by making hundreds of thousands of ‘requests’ and immediately canceling them. By automating this “request, cancel, request, cancel” pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline,” Cloudflare said.
“’Rapid Reset’ provides threat actors with a powerful new way to attack victims across the Internet at an order of magnitude larger than anything the Internet has seen before. HTTP/2 is the basis for about 60% of all web applications, and determines the speed and quality of how users see and interact with websites,” Cloudflare added.
While Google said the attack in August was seven-and-a-half times larger than the most significant attack that the tech giant blocked the previous year, Cloudflare said the attacks leveraging ‘Rapid Reset’ were nearly three times larger than the largest DDoS attack ever in internet history.