In August and September, DDoS attacks reached unprecedented levels, warn Google, Cloudflare, AWS and Microsoft.

The four internet giants Google, Cloudflare, AWS and Microsoft have had to intervene in DDoS attacks on their customers in recent months. DDoS attacks are commonplace for these companies, but this time they’re talking about the largest attacks they’ve ever seen. AWS reports a peak of 155 million requests per second, Cloudflare reports 201 million. The “record holder” is Google with attacks that peaked at up to 398 million.

Quick reset

All of these recent attacks exploited an Achilles heel in the renamed HTTP/2 protocol Quick reset. Google provides the detailed technical explanation in a blog, although the underlying principle is actually quite simple: the attacker sends a request to the hosting servers and immediately cancels this request. By doing this on a large scale and in an automated manner, the servers end up in an endless stream of “requests, cancellations, requests, cancellations” until they eventually become overwhelmed.

Testing in practice

According to Cloudflare, it is no coincidence that large Internet companies experience many attacks of this magnitude in a short period of time. Malicious actors who discover new techniques find it extremely difficult to test and understand their effectiveness due to the lack of infrastructure to mitigate the attacks. Therefore, they often conduct tests with vendors to better understand how their attacks work.

Google, Cloudflare, Microsoft and AWS all say they successfully fended off the attacks without their customers noticing much. Nevertheless, they emphasize the severity of the rapid reset vulnerability. HTTP/2 is the basis for around sixty percent of all web applications, not all of which rely on a strong buffer. The vulnerability only affects HTTP/2 and not the new HTTP/3 protocol.