There's an important vulnerability being disclosed today that allows attackers to massively increase the size of DDoS attacks.
The flaw is being tracked as CVE-2023-44487, a.k.a. "HTTP/2 Rapid Reset Attack." According to Damian Menscher at Google, the attack "works by sending a request and then immediately cancelling it (a feature of HTTP/2). This lets attackers skip waiting for responses, resulting in a more efficient attack."
More info:
https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/
https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
@briankrebs Why would standard DDOS protection not apply here?
@LouisIngenthron Maybe because it's abusing a feature less than a vulnerability?
@briankrebs I thought that DDOS protection shuts down or rate-limits connection attempts after detecting a high volume, right? Does that detection just not work if they requestor also sends cancellation messages?
In other words, after the first 10 or 100 are sent and cancelled, why would the server not just reject any connection attempt from that host?
@LouisIngenthron because you can't know for sure who's behind the endpoint sending stream resets. It could be a non-malicious user. The vuln is not that bad. Manageable.
@cek To the best of my knowledge, everything you just said applies to traditional DDOS attacks too. You can't tell if they're malicious either, but once they go over the limit, you cut them off anyway to play defense. Why does that not apply here?
