In late August and early September this year, someone unleashed enormous distributed denial of service (DDoS) attacks which hit customers of Amazon Web Services, Microsoft and Google.
The completely new attacks are called HTTP/2 Rapid Reset and were the largest ever recorded, but we didn’t hear about them atthe time, only now when the internet companies above have published details on them. What happened?
First, some background. In simple terms, a denial of service attack means making a networked server stop responding to requests. It can be a small number of malformed requests or absolutely heaps and by accident or deliberately. Add a d for distributed, and that’s attack traffic coming from lots of different places.
Imagine then if attackers find a new flaw that can be exploited more or less anonymously and safely thousands of kilometres away, and cheaply too. Interrupt government websites, take out e-commerce, prevent internet banking transactions and more.
A malicious actor can do lots of damage, like in 2020 when NZX got hit by a DDoS and went into a trading halt.
The technical explanation behind the HTTP/2 DDoS attack is very deep geek indeed. Long story short, attackers have figured out how to abuse a feature in the protocol or the language your web browser uses to communicate with internet web servers, and vice versa.
That language is the hypertext transfer protocol, major version 2, which popped up in 2015. A huge amount of web servers around the world support it.
Now, the general idea behind HTTP/2 was to make HTTP, as invented by British computer scientist Tim Berners-Lee, work harder, faster and better for streaming, applications and all the day-to-day stuff we use the web for.
HTTP/2 is based on work originally done by Google. Ironically, when the new protocol was being worked on, network geeks complained that it was unnecessarily complex which is never a good thing, and developed too quickly.
Turns out that said network geeks likely had a point, as Netflix and Google found eight denial-of-service attacks in 2019 that were a variation of the same bug, and which had to be sorted out or mitigated against.
And now there’s a novel, incredibly powerful attack that’s easy for attackers to abuse.
Who were the attackers then and why did they do it? That’s not public knowledge yet but, clearly, they know the HTTP/2 DDoS was powerful enough to level at AWS, Google and Cloudflare which all have huge network capacity.
It is also a strongly asymmetric attack that requires few resources to launch, which is a worry.
You may have heard the term botnet before: it refers to a network of compromised computers controlled by attackers.
People click on the wrong link or run software with hidden, malicious functionality and they might not even know that their computers are now hijacked and part of a botnet.
The thing is, for the HTTP/2 attacks, Cloudflare believes that a small botnet of just 20,000 machines was used. Botnets are usually several hundreds of thousands or even millions of machines strong.
The NZX was hit by a DDoS attack in 2020.
Here we have a relatively small number of machines being able to generate an attack that was almost three times the size of the next biggest one on record. Cloudflare’s post-mortem of the attack said the flood of traffic reached 201 million requests per second.
Google said it fended off an even bigger attack that peaked above 398 million requests per second.
This compares to the entire web, which Cloudflare says comprises one to three billion requests per second.
How did we escape widespread service outages then? This time the big tech companies that host most of the web these days were correctly prepared, detected the attacks in time and neutralised the malicious traffic.
They’re now having a circle pat on the back about it, and the usual unsubtle sales spiel to businesses about buying products and services for their protection.
However, as Cloudflare noted:
“ ... it’s not inconceivable that using this method could focus an entire web’s worth of requests on a small number of targets.”
That alone guarantees more attacks in the future.
Already, Google has detected modified versions of the HTTP/2 attacks. They’re less effective than the initial one, but someone out there is adapting the technique in the hope of getting around mitigations and defences.
Meanwhile, as evidenced by HTTP/2 Rapid Reset, the tech industry is chronically unable to create secure software no matter how important its intended use is, and despite past disasters to learn from.
The vulnerability will also have to be fixed everywhere on the web, a slow and patchy process at best.
There is probably only one possible outcome from that scenario, and it’s not a good one.
