Thursday, 3 April 2025
26.1 C
Singapore
29.2 C
Thailand
27 C
Indonesia
27.3 C
Philippines

New DDOS vulnerability threatens almost all websites

Discover the HTTP/2 Rapid Reset DDOS vulnerability that endangers nearly all websites, and learn about the urgent measures to protect against this severe threat.

A recent discovery of a DDOS vulnerability showcases a significant threat to nearly every website, sparking urgent actions from server software companies to devise patches for protection.

Understanding the HTTP/2 Rapid Reset vulnerability

This particular vulnerability exploits the HTTP/2 and HTTP/3 network protocols, which facilitate multiple data streams between a server and a browser. A browser can request numerous resources from a server and receive them all simultaneously instead of waiting for each resource to download sequentially.

The exploit, HTTP/2 Rapid Reset, was publicly shared by Cloudflare, Amazon Web Services (AWS), and Google. Many modern web servers operate on the HTTP/2 network protocol, and the lack of a software patch currently leaves virtually every server at risk. This new and unmitigated exploit is referred to as a zero-day exploit. However, on a brighter note, server software companies are actively developing patches to rectify the HTTP/2 security loophole.

How severe is the HTTP/2 Rapid Reset exploit?

The HTTP/2 network protocol has a server setting that limits the number of requests at any given moment, denying requests beyond this number. Another feature allows a request to be cancelled, removing that data stream from the preset request limit and freeing up the server to process another data stream.

The alarming part is that attackers can send millions of requests and cancellations to a server, completely overwhelming it. The HTTP/2 Rapid Reset exploit elevates the severity as servers currently have no defence against it. Cloudflare reported blocking a DDOS attack 300% larger than any previous DDOS attack, with Google reporting a DDOS attack exceeding 398 million requests per second (RPS).

This exploit’s sinister aspect is the trivial amount of resources required to launch an attack. Unlike traditional DDOS attacks requiring a substantial network of infected computers (a botnet), the HTTP/2 Rapid Reset exploit necessitates as few as 20,000 infected computers to initiate attacks three times larger than the most significant DDOS attacks ever recorded. This substantially lowers the bar for hackers to conduct devastating DDOS attacks.

How to safeguard against HTTP/2 Rapid Reset?

While patches are under development to address the HTTP/2 exploit, Cloudflare customers are already protected. As a temporary measure, in dire circumstances where a server is under attack and defenceless, Cloudflare suggests that server administrators could downgrade the HTTP network protocol to HTTP/1.1. Although this action may slow down server performance, it’s a preferable alternative to being offline.

Hot this week

Intelโ€™s future in the GPU market looks uncertain

Intel may not release a high-end Battlemage GPU, and Arc Celestialโ€™s future is unclear, leaving gamers with limited options in a challenging market.

Global tech leaders to explore the future of enterprise at ATxEnterprise 2025

ATxEnterprise 2025 in Singapore will bring together global leaders to explore AI, cybersecurity, and the future of enterprise technology.

Nothing Phone (3a) Pro review: A mid-range marvel with standout zoom

Nothing Phone (3a) Pro blends standout design, powerful zoom camera, and smart features, making it a top choice in the mid-range segment.

Qualcomm expands AI research with MovianAI acquisition

Qualcomm has acquired Vietnamese AI research firm MovianAI to boost its AI development in smartphones, PCs, and software-defined vehicles.

OpenAI pauses free GPT-4o image generation after viral Studio Ghibli trend

OpenAI halts free GPT-4o image generation after viral Studio Ghibli trend raises legal concerns, leaving paid users with continued access.

Qualcomm expands AI research with MovianAI acquisition

Qualcomm has acquired Vietnamese AI research firm MovianAI to boost its AI development in smartphones, PCs, and software-defined vehicles.

Roblox introduces new parental controls to enhance child safety

Roblox introduces new parental controls, allowing parents to block games, restrict friends, and monitor their childโ€™s activity for better safety.

Anthropic introduces Claude for Education, a new AI chatbot plan for universities

Anthropic launches Claude for Education, an AI chatbot plan for universities that offers advanced learning tools and administration support.

Exabeam introduces Nova, an agentic AI that boosts cybersecurity operations

Exabeam unveils Nova, a proactive AI agent that boosts security team productivity and reduces incident investigation time by over 50%.

Related Articles