The Mozi botnet has been documented as able to conduct HTTP, TCP, UDP, and other attacks. More information can be found in the April 2024 Sensor Intel Series article.

[back to top]

And Another Step Back: Emerging DDoS Attack Vectors

HTTP/2 Abuse

The relatively new HTTP/2 protocol (new in internet terms, since the protocol is now almost ten years old) recently came under the spotlight of security researchers. The latter half of 2024 and start of 2024 saw not one, but two, new vulnerabilities which could create denial-of-service conditions even when HTTP/2 implementations followed the RFC to the letter. This is a big deal. Oftentimes it is a specific implementation of an RFC which is found to be vulnerable. In both following cases involving HTTP/2, however, all implementations are potentially vulnerable since the RFC itself did not consider all potential vectors of abuse.

HTTP/2 Rapid Reset Attack

The first HTTP/2 denial-of-service vulnerability, eventually published under CVE-2023-44487, was first discovered by Google after mitigating the largest application layer attacks ever seen. It is well defined by the CERT-EU security advisory:

The vulnerability exploits a weakness in the HTTP/2 protocol, allowing attackers to generate hyper-volumetric DDoS attacks. The attack involves sending a large number of HTTP/2 streams and immediately cancelling them, creating a cost asymmetry between the client and server. The attacker exploits the RST_STREAM and GOAWAY frames of the HTTP/2 protocol to manipulate the connection. This leaves the server doing significant work for cancelled requests while the client pays almost no costs.

HTTP/2 Continuation Frame Attack

The second HTTP/2 DoS vulnerability was announced in May 2024 and, for anyone that remembers it, shares a theme with the Slow Post denial of service attack method.

The binary HTTP/2 protocol features multiple types of ‘frames’. Some are used as Headers, others contain Data to be sent between the client and server. Other frame types also exist and one of them is known as a Continuation frame. This is used to signal to the server that the client has more data to send so the connection should be left open. A malicious HTTP/2 client is able to send an arbitrary number of Continuation frames to the server and exhaust its available memory. The F5 DevCentral community has a great write up on HTTP/2 Continuation Frame Attacks.

The CERT Coordination Center details Vulnerability Note VU#421644 and it is this article that should be used to look for CVEs against specific HTTP/2 implementations.

Loop DoS

Attackers making use of UDP floods often benefit from the ability to spoof the source IP address which results in ineffectual IP based blocking. UDP packets, however, still require that traffic is generated from a malicious or compromised clients (zombies) in a botnet. Loop DoS, by contrast, needs no such botnet. A single malicious request to Alice results in a flood of traffic to Bob. Bob then responds to Alice, generating yet more unwanted traffic. Essentially, Alice and Bob are tricked into  attacking each. Despite this potential attack vector being known since 1996, it was only revealed as a practical attack method in March 2024 with protocols such TFTP, DNS, NTP, Echo and Chargen open to exploit. A reported 300,000 servers were potentially vulnerable to this attack.

DNSbomb

As if DNS hasn’t already been exploited enough for denial of service attack vectors (such as NXDOMAIN attacks as well as DNS reflection floods) yet another exploit was revealed for this much beleaguered protocol. Just as with the HTTP/2 based attacks, this method exploits not a vulnerability, but deliberate mechanisms defined within the RFC 1035 specification.

Researchers determined that by making use of availability, security, and reliability features of DNS, it is possible to accumulate DNS queries such that all responses are let loose at once in “pulsing bursts”, which could result in a potential denial of service situation. Individual DNS vendors have issued their own CVEs but an industry-wide CVE was also published under CVE-2024-33655.

[back to top]

2023 DDoS Attack Trends

After slow but marked decline in DoS attacks over recent years, 2023 saw a staggering increase compared with 2022. DDoS attacks have not only become more prevalent, in part due to their commoditisation and ease of use, but also due to rising global tensions and the ease with which hacktivists can launch an attack.

[back to top]

DDoS Attacks Explode in 2023

The global map shown in Figure 3 provides a glanceable view of the attacks seen by F5 Distributed Cloud over the course of 2023. While the number of attacks encountered by each region appears to vary drastically, the frequency of incidents is directly proportional to the number of customers in any given region. What does mean? Regardless of the postal address of an organization’s headquarters, or the virtual address of its IPv4 space, attackers care not for geographical boundaries. While individual counties do see more incidents than others, no one continent is worse than any other when averaging out countries in that region. We dive in to regional and country-level comparisons later in this report.