Mysterious hackers took advantage of a flaw in one of the Internet’s mechanisms to carry out the largest attack in history against Google’s servers. And they could start again to block access to many websites.
The attack only lasted two minutes, but certainly caused a small moment of panic among Google engineers. At the end of August, they observed a sudden surge of web requests on their infrastructure. A deluge of simultaneous connections, peaking at… 398 million requests per second. Imagine: it’s as if 400 million Internet users were trying to connect to the same site at exactly the same time! Google had never seen this before. In 2022, a similar attack (known as “denial of service” or DDoS in the jargon) had already made headlines. But with “only” 42 million simultaneous connections at peak, it pales in comparison to that which took place this summer. “To give an idea of its scale, the August attack generated more queries than the total number of article pages viewed on Wikipedia for the entire month of September 2023. says Google.
The hackers’ goal was clear: to saturate Google’s network resources with connections in order to make its services and the websites it hosts inaccessible. To temporarily block part of the Web, in short. Especially since hackers didn’t just hit Google. Two other “cloud” giants, Amazon and Cloudflare, also spotted denial of service attacks of unprecedented power at the same time. Fortunately, Google and the other affected companies managed to limit the damage. There were a few sites temporarily inaccessible here and there, but the impact of this series of attacks was contained within a few days.
A flaw that weakens millions of websites
End of the story ? Not really. Because the technique used by the pirates takes advantage of a vulnerability in an essential protocol for the Web, which will be very difficult to correct for good. You certainly know its name, permanently displayed in the address bar of your browser: HTTP. Most of the sites you connect to every day now take advantage of HTTP/2, a more efficient version of the historic protocol, capable of displaying web pages much faster.
We are not going to go into its technical specifications here, but to summarize very roughly, HTTP/2 is able to manage many more message exchanges between a client (your browser) and a server (which hosts a site) simultaneously. This is ideal for displaying web pages more quickly, but it also benefits those who want to carry out denial of service attacks, because they can increase the number of requests and saturate the servers they are targeting more quickly.
In the attack that interests us, called HTTP/2 Rapid Reset, the pirates went even further. For the first time, they took advantage of a specific HTTP/2 function which allows a request to be canceled without waiting for a response from the server. Using this trick, they can increase the number of messages they transmit tenfold.
To correct this problem, all web servers in the world will need to apply a patch… which does not yet exist. And it’s rather worrying. Because if giants like Google or Amazon have technical countermeasures to avoid these new kinds of attacks, sites hosted elsewhere could on the other hand suffer them head-on in the coming months.
Cloudflare also emphasizes a very worrying point. The botnet – a network of compromised PCs, under the orders of hackers – which was used to launch this attack only had around 20,000 machines. This is little. If a larger botnet initiated the same attack, it could have a much greater impact. “Some current botnets consist of hundreds of thousands or millions of machines. The Internet as a whole typically receives only between 1 and 3 billion requests every second, so it is not inconceivable that using this method could concentrate the entire network’s request count on a small number of targets.” , the company said in a note. Suffice it to say that this “record” attack will undoubtedly soon be surpassed by another, much more massive one, which could block thousands or even millions of websites around the world…