Big name tech firms have all warned about a new type of distributed denial of service (DDoS) event that began in late August.

The warnings came separately from Alphabet’s Google, Cloudflare and Amazon Web Services on Tuesday, when they collectively confirmed the largest DDoS attack to date, which they said they had mitigated.

Google however warned in a blog post that the record-breaking DDoS attack began in late August and “continue to this day, targeting major infrastructure providers including Google services, Google Cloud infrastructure, and our customers.”

DDoS Attack

Last year, Google said it had blocked the largest DDoS attack recorded at the time. But in August, 2023, it stopped an even larger DDoS attack – 7½ times larger – that also used new techniques to try to disrupt websites and Internet services.

And it warned that the DDoS utilised a new technique.

“This new series of DDoS attacks reached a peak of 398 million requests per second (rps), and relied on a novel HTTP/2 ‘Rapid Reset’ technique based on stream multiplexing that has affected multiple Internet infrastructure companies,” said Google. “By contrast, last year’s largest-recorded DDoS attack peaked at 46 million rps.”

Amazon Web Services also issued a blog post on Tuesday, noting that “since late August 2023, AWS has detected and been protecting customer applications from a new type of distributed denial of service (DDoS) event.”

“Between August 28 and August 29, 2023, proactive monitoring by AWS detected an unusual spike in HTTP/2 requests to Amazon CloudFront, peaking at over 155 million requests per second (RPS),” said AWS.

“Within minutes, AWS determined the nature of this unusual activity and found that CloudFront had automatically mitigated a new type of HTTP request flood DDoS event, now called an HTTP/2 rapid reset attack,” it said. “Over those two days, AWS observed and mitigated over a dozen HTTP/2 rapid reset events, and through the month of September, continued to see this new type of HTTP/2 request flood.”

Meanwhile web performance and security specialist Cloudflare also issued its own warning about the DDoS attack.

Earlier today, Cloudflare, along with Google and Amazon AWS, disclosed the existence of a novel zero-day vulnerability dubbed the “HTTP/2 Rapid Reset” attack,” Cloudflare warned. “This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks.”

“Cloudflare has mitigated a barrage of these attacks in recent months, including an attack three times larger than any previous attack we’ve observed, which exceeded 201 million requests per second (rps),” it said. “Since the end of August 2023, Cloudflare has mitigated more than 1,100 other attacks with over 10 million rps – and 184 attacks that were greater than our previous DDoS record of 71 million rps.”

Update now

All three companies urged IT teams to update their web servers to remove the vulnerability.

At the time of writing, there was no indication from any of the tech giants as to the origin of the DDoS attack, or who was responsible.

Meanwhile the US government’s cybersecurity watchdog, CISA, issued an advisory about the matter on X (aka Twitter), and urged organisations providing HTTP/2 services to apply patches when available.

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago