Thursday, 24 April 2025
29.8 C
Singapore
31.5 C
Thailand
25 C
Indonesia
28.7 C
Philippines

New DDOS vulnerability threatens almost all websites

Discover the HTTP/2 Rapid Reset DDOS vulnerability that endangers nearly all websites, and learn about the urgent measures to protect against this severe threat.

A recent discovery of a DDOS vulnerability showcases a significant threat to nearly every website, sparking urgent actions from server software companies to devise patches for protection.

Understanding the HTTP/2 Rapid Reset vulnerability

This particular vulnerability exploits the HTTP/2 and HTTP/3 network protocols, which facilitate multiple data streams between a server and a browser. A browser can request numerous resources from a server and receive them all simultaneously instead of waiting for each resource to download sequentially.

The exploit, HTTP/2 Rapid Reset, was publicly shared by Cloudflare, Amazon Web Services (AWS), and Google. Many modern web servers operate on the HTTP/2 network protocol, and the lack of a software patch currently leaves virtually every server at risk. This new and unmitigated exploit is referred to as a zero-day exploit. However, on a brighter note, server software companies are actively developing patches to rectify the HTTP/2 security loophole.

How severe is the HTTP/2 Rapid Reset exploit?

The HTTP/2 network protocol has a server setting that limits the number of requests at any given moment, denying requests beyond this number. Another feature allows a request to be cancelled, removing that data stream from the preset request limit and freeing up the server to process another data stream.

The alarming part is that attackers can send millions of requests and cancellations to a server, completely overwhelming it. The HTTP/2 Rapid Reset exploit elevates the severity as servers currently have no defence against it. Cloudflare reported blocking a DDOS attack 300% larger than any previous DDOS attack, with Google reporting a DDOS attack exceeding 398 million requests per second (RPS).

This exploit’s sinister aspect is the trivial amount of resources required to launch an attack. Unlike traditional DDOS attacks requiring a substantial network of infected computers (a botnet), the HTTP/2 Rapid Reset exploit necessitates as few as 20,000 infected computers to initiate attacks three times larger than the most significant DDOS attacks ever recorded. This substantially lowers the bar for hackers to conduct devastating DDOS attacks.

How to safeguard against HTTP/2 Rapid Reset?

While patches are under development to address the HTTP/2 exploit, Cloudflare customers are already protected. As a temporary measure, in dire circumstances where a server is under attack and defenceless, Cloudflare suggests that server administrators could downgrade the HTTP network protocol to HTTP/1.1. Although this action may slow down server performance, it’s a preferable alternative to being offline.

Hot this week

Why OpenAI chose Windsurf after Cursor said no to being bought

OpenAI considered buying Cursor but moved on to Windsurf with a US$3B offer after Cursor’s parent company, Anysphere, chose to stay independent.

POCO launches entry-level C71 smartphone in Singapore with premium features

POCO launches the budget-friendly C71 smartphone in Singapore, offering premium design, enhanced cameras, and smooth performance at S$109.

OpenAI may be creating a new social media platform with AI-generated images

OpenAI may launch a social platform with ChatGPT-powered image feeds, marking a new step into AI-driven social networking.

Netflix raises subscription prices in Singapore again

Netflix again raises subscription prices in Singapore, with new rates for all plans and extra member slots.

Razer quietly resumes laptop sales after a sudden pause in the US

Razer resumes some US laptop sales after a sudden halt, with limited models available and no explanation from the company.

POCO launches entry-level C71 smartphone in Singapore with premium features

POCO launches the budget-friendly C71 smartphone in Singapore, offering premium design, enhanced cameras, and smooth performance at S$109.

NVIDIA uses AI to address climate, wildlife and disaster risks

NVIDIA’s AI tools support climate action, wildlife monitoring, and disaster risk mitigation, with uses spanning sea, land, sky and space.

Netflix raises subscription prices in Singapore again

Netflix again raises subscription prices in Singapore, with new rates for all plans and extra member slots.

GameMax unveils Blade Concept ATX case with bold design and powerful features

GameMax launches the Blade Concept ATX case, which features a striking blade design, RGB lighting, and support for high-end liquid-cooled PC builds.

Related Articles

Popular Categories