HTTP/2 Rapid Reset DDOS Vulnerability Affects Virtually Any Site


Details of a new form of DDOS that requires relatively minimal resources to launch an attack of unprecedented scale, making it a clear danger for websites as server software companies race to release patches to protect against it.

HTTP/2 Rapid Reset Exploit

The vulnerability takes advantage of the HTTP/2 and HTTP/3 network protocols that allow multiple streams of data to and from a server and a browser.

This means that the browser can request multiple resources from a server and get them all returned, rather than having to wait for each resource to download one at a time.

The exploit that was publicly announced by Cloudflare, Amazon Web Services (AWS) and Google is called HTTP/2 Rapid Reset.

The vast majority of modern web servers use the HTTP/2 network protocol.

Because there is currently no software patch to fix the HTTP/2 security hole, it means that virtually every server is vulnerable.

An exploit that is new and has no way to mitigate it is called a zero-day exploit.

The good news is that server software companies are working on developing patches to close the HTTP/2 weakness.

How The HTTP/2 Rapid Reset Vulnerability Works

The HTTP/2 network protocol has a server setting that allows a set number of requests at any given time.

Requests that exceed that number are denied.

Another feature of the HTTP/2 protocol allows a request to be cancelled, which removes that data stream from the preset request limit.

This is a good thing because it frees up the server to turn around and process another data stream.

However, what the attackers discovered is that it’s possible to send millions (yes, millions) of requests and cancellations to a server and overwhelm it.

How Bad Is HTTP/2 Rapid Reset?

The HTTP/2 Rapid Reset exploit is extraordinarily bad because servers currently have no defense against it.

Cloudflare noted that it had blocked a DDOS attack that was 300% larger than the largest ever DDOS attack in history.

The largest one they blocked exceeded 201 million requests per second (RPS).

Google is reporting a DDOS attack that exceeded 398 million RPS.

But that’s not the full extent of how bad this exploit is.

What makes this exploit even worse is that it takes a relatively trivial amount of resources to launch an attack.

DDOS attacks of this size normally require hundreds of thousands to millions of infected computers (called a botnet) to launch attacks at this scale.

The HTTP/2 Rapid Reset exploit requires as few as 20,000 infected computers to launch attacks that are three times larger than the largest DDOS attacks ever recorded.

That means that the bar is much lower for hackers to gain the ability to launch devastating DDOS attacks.

How To Protect Against HTTP/2 Rapid Reset?

Server software publishers are currently working to release patches to close the HTTP/2 exploit weakness. Cloudflare customers are currently protected and don’t have to worry.

Cloudflare advises that in the worst case scenario, if a server is under attack and defenseless, the server administrator can downgrade the HTTP network protocol to HTTP/1.1.

Downgrading the network protocol will stop the hackers from being able to continue their attack but the server performance may slow down (which at least is better than being offline).

Read The Security Bulletins

Cloudflare Blog Post:
HTTP/2 Zero-Day Vulnerability Results in Record-Breaking DDoS Attacks

Google Cloud Security Alert:
Google mitigated the largest DDoS attack to date, peaking above 398 million rps

AWS Security Alert:
CVE-2023-44487 – HTTP/2 Rapid Reset Attack

Featured Image by Shutterstock/Illusmile



منبع