Multiplexed Asymmetric Attacks: Next-Generation DDoS on HTTP/2 Servers

Abstract

Distributed Denial of Service (DDoS) attacks using the HTTP protocol have started gaining popularity in recent years. A recent trend in this direction has been the use of computationally expensive requests to launch attacks. These attacks, called Asymmetric Workload attacks can bring down servers using limited resources, and are extremely difficult to detect. The introduction of HTTP/2 has been welcomed by developers because it improves user experience and efficiency. This was made possible by the ability to transport HTTP requests and their associated inline resources simultaneously by using Multiplexing and Server Push. However multiplexing has made request traffic bursty and rendered DDoS detection mechanisms based on connection limiting obsolete. Contrary to its intention, multiplexing can also be misused to launch sophisticated DDoS attacks using multiple high workload requests in a single TCP connection. However, sufficient research has not been done in this area. Existing research demonstrates that the HTTP/2 protocol allows users to launch DDoS attacks easily, but does not focus on whether an HTTP/2 server can handle DDoS attacks more efficiently or not. Also, sufficient research has not been done on the possibility of Multiplexing and Server Push being misused. In this work, we analyse the performance of an HTTP/2 server compared to an HTTP/1.1 server under an Asymmetric DDoS attack for the same load. We propose a new DDoS attack vector called a Multiplexed Asymmetric DDoS attack, which uses multiplexing in a different way than intended. We show that such an attack can bring down a server with just a few attacking clients. We also show that a Multiplexed Asymmetric Attack on a server with Server Push enabled can trigger an egress network layer flood in addition to an application layer attack.