Amazon, Google and Cloudflare said they detected the largest distributed denial-of-service (DDoS) attacks on record in August due to a newly discovered vulnerability. The companies explained on Tuesday morning that a bug tracked as CVE-2023-44487 allowed threat actors a fresh angle for overwhelming websites with a flood of traffic, making them temporarily unavailable to users. Exploitation of the vulnerability is known as an HTTP/2 Rapid Reset Attack. The issue affects HTTP/2 protocol — a pivotal piece of Internet infrastructure that governs how most websites operate. The attacks have not been attributed to any known hacking group. Google’s Juho Snellman and Daniele Iamartino said the tech giant mitigated an attack in August that was more than eight times as large as the previous record. It involved 398 million requests per second (RPS). In August 2022 they had reported stopping an attack that peaked at 46 million requests per second. That one was equivalent to “receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds,” they said. The incidents involving the HTTP/2 vulnerability “were largely stopped at the edge of our network by Google’s global load balancing infrastructure and did not lead to any outages. While the impact was minimal, Google’s DDoS Response Team reviewed the attacks and added additional protections to further mitigate similar attacks,” Snellman and Iamartino said. “In addition to Google’s internal response, we helped lead a coordinated disclosure process with industry partners to address the new HTTP/2 vector across the ecosystem.”

Full report : Amazon, Google, and Cloudflare say a DDoS attack hit 398M RPS in August about 8x larger than the previous record due to a new bug exploited in the wild.