In recent findings by Cloudflare, a concerning trend has emerged in the world of cyber threats. Since the disclosure of the HTTP/2 Rapid Reset vulnerability, there have been “thousands” of hyper-volumetric HTTP distributed denial of service (DDoS) attacks. What’s more alarming is that 89 of these attacks exceeded a staggering 100 million requests per second (rps).
These relentless attacks have led to a 65% surge in the total number of HTTP DDoS attacks in the third quarter compared to Q2. Additionally, L3/4 DDoS attacks saw a 14% increase, marking a disturbing escalation in online threats.
In terms of raw numbers, there were a mind-boggling 8.9 trillion HTTP DDoS attack requests in the quarter, a significant jump from 5.4 trillion in Q2 and 4.7 trillion in Q1.
The catalyst for this onslaught is the HTTP/2 Rapid Reset vulnerability, discovered earlier this month by security researchers from Google and others. Notably, these DDoS attacks reached previously unseen levels of power. In early October, Google reported blocking an attack 7.5 times larger than any previously recorded DDoS incident, hitting 398 million rps.
The wave of attacks, which began in late August and continues to this day, has primarily targeted major infrastructure providers, including Google services, Google Cloud infrastructure, and their customers. Cloud computing service provider Fastly also reported fending off an attack with a stunning 250 million rps.
The attackers responsible for these campaigns are known for targeting firms in various industries, including gaming, IT, cryptocurrencies, computer software, and telecommunications. They are predominantly located in the U.S., China, Brazil, Germany, and Indonesia, while their victims are mostly based in the U.S., Singapore, China, Vietnam, and Canada.
Adding to the complexity of these attacks, Cloudflare highlights that “Botnets that leverage cloud computing platforms and exploit HTTP/2 are able to generate up to x5,000 more force per botnet node.” This capability has allowed them to launch hyper-volumetric DDoS attacks with a relatively small botnet, ranging from 5-20 thousand nodes.
It’s noteworthy that for the second consecutive quarter, DNS-based DDoS attacks were the most common, constituting almost 47% of all attacks. This represents a significant 44% increase compared to the previous quarter. SYN floods held the second position, followed by RST floods, UDP floods, and Mirai attacks.