A recent discovery of a DDOS vulnerability showcases a significant threat to nearly every website, sparking urgent actions from server software companies to devise patches for protection.
Understanding the HTTP/2 Rapid Reset vulnerability
This particular vulnerability exploits the HTTP/2 and HTTP/3 network protocols, which facilitate multiple data streams between a server and a browser. A browser can request numerous resources from a server and receive them all simultaneously instead of waiting for each resource to download sequentially.
The exploit, HTTP/2 Rapid Reset, was publicly shared by Cloudflare, Amazon Web Services (AWS), and Google. Many modern web servers operate on the HTTP/2 network protocol, and the lack of a software patch currently leaves virtually every server at risk. This new and unmitigated exploit is referred to as a zero-day exploit. However, on a brighter note, server software companies are actively developing patches to rectify the HTTP/2 security loophole.
How severe is the HTTP/2 Rapid Reset exploit?
The HTTP/2 network protocol has a server setting that limits the number of requests at any given moment, denying requests beyond this number. Another feature allows a request to be cancelled, removing that data stream from the preset request limit and freeing up the server to process another data stream.
The alarming part is that attackers can send millions of requests and cancellations to a server, completely overwhelming it. The HTTP/2 Rapid Reset exploit elevates the severity as servers currently have no defence against it. Cloudflare reported blocking a DDOS attack 300% larger than any previous DDOS attack, with Google reporting a DDOS attack exceeding 398 million requests per second (RPS).
This exploit’s sinister aspect is the trivial amount of resources required to launch an attack. Unlike traditional DDOS attacks requiring a substantial network of infected computers (a botnet), the HTTP/2 Rapid Reset exploit necessitates as few as 20,000 infected computers to initiate attacks three times larger than the most significant DDOS attacks ever recorded. This substantially lowers the bar for hackers to conduct devastating DDOS attacks.
How to safeguard against HTTP/2 Rapid Reset?
While patches are under development to address the HTTP/2 exploit, Cloudflare customers are already protected. As a temporary measure, in dire circumstances where a server is under attack and defenceless, Cloudflare suggests that server administrators could downgrade the HTTP network protocol to HTTP/1.1. Although this action may slow down server performance, it’s a preferable alternative to being offline.
