Google, Cloudflare and Amazon Web Services (AWS) have jointly unveiled a new zero-day vulnerability dubbed "HTTP/2 Rapid Reset," which was exploited by unidentified threat actors to launch the largest distributed denial of service (DDoS) attack recorded to date.

During the peak of this series of DDoS attacks, Cloudflare saw over 201 million requests per second (RPS), while Google found a peak reached 398 million RPS, compared to the 46 million RPS peak of last year’s largest-recorded DDoS attack.

The attacks “relied on a novel HTTP/2 'Rapid Reset' technique based on stream multiplexing that has affected multiple internet infrastructure companies,” Google wrote in a blog post.

The standard HTTP/2 protocol is the backbone for approximately 60% of all web applications. This protocol is responsible for how browsers interact with a website, which determines the speed and quality of how users see and interact with websites, according to Cloudflare.

The attackers exploited this by flooding websites with hundreds of thousands of “requests” and abruptly canceling them. “By automating this trivial 'request, cancel, request, cancel' pattern at scale, threat actors are able to create a denial of service and take down any server or application running the standard implementation of HTTP/2,” Cloudflare CSO Grant Bourzikas wrote in a blog post.

“This zero-day provided threat actors with a critical new tool in their Swiss Army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before,” Bourzikas wrote.

Cloudflare and Google's DDoS Response Team highlighted an alarming trend: DDoS attacks are escalating exponentially.

Last year, Google fended off the then-largest layer 7 DDoS attack at 46 million RPS. In February, Cloudflare revealed that it successfully defended its network from the largest DDoS attack at that time.

Through DDoS attacks, threat actors generally try to disrupt internet-facing websites and services, making them unavailable to users. “Attackers direct overwhelming amounts of internet traffic to targets, which can exhaust their ability to process incoming requests,” according to Google.

These attacks can have far-reaching consequences for victim organizations, including loss of time and money, and disruption of business and mission-critical applications.

The entire susceptibility to this attack has been tracked as CVE-2023-44487 and has been marked as a "High" severity vulnerability with a CVSS score of 7.5 out of 10.

Cloudflare, Google and AWS underscore the critical need for cooperative efforts in the realm of cybersecurity.

“Soon after detecting the earliest of these attacks in August, Google applied additional mitigation strategies and coordinated a cross-industry response with other cloud providers and software maintainers who implement the HTTP/2 protocol stack,” Google noted. “This cross-industry collaboration has resulted in patches and other mitigation techniques used by many large infrastructure providers. ”

The tech giant warns that all organizations or individuals serving HTTP-based workloads on the internet might be vulnerable to this DDoS. “Web applications, services and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable.”

Verifying any servers that support HTTP/2 are not vulnerable and immediate patching for CVE-2023-44487 are imperative to safeguard against this new attack vector.

“There is no such thing as a ‘perfect disclosure.' Thwarting attacks and responding to emerging incidents requires organizations and security teams to live by an assume-breach mindset — because there will always be another zero day, new evolving threat-actor groups, and never-before-seen novel attacks and techniques,” Bourzikas said