Decoding HTTP/2 Rapid Reset Zero-Day (CVE-2023-44487) Exploited

Health-ISAC is distributing this bulletin for your situational awareness.

On October 10, 2023, DDoS Protection firm CloudFlare, in conjunction with Google and Amazon AWS released a statement regarding the discovery of a zero-day vulnerability which could generate massive hyper-volumetric Distributed Denial of Service (DDoS) attacks. The largest attack ever recorded at CloudFlare before the exploit of HTTP/2 Rapid Reset Zero-Day was 71 million requests per second (rps). The attack using the CVE-2023-44487 resulted in an attack which peaked at over 201 million rps.

This zero-day was brought to the attention of Cloudflare in late August 2023 when it was being developed by an unknown threat actor. Later, Cloudflare observed this zero-day exploit being used in conjunction with DDoS botnets to create DDoS attacks with unprecedented volumes.

NOTE: On October 10, 2023, at 12pm ET, Health-ISAC’s Threat Operations Center held a Spotlight webinar to discuss what Cloudflare has seen: the vulnerability, impacts seen, and recommendations to address the issue.