The digital realm faced another significant challenge with the discovery of a flaw in HTTP/2, the dominant version of the HTTP protocol. Termed the "HTTP/2 Rapid Reset" flaw, its exploitation can lead to massive Distributed Denial of Service (DDoS) attacks, threatening online operations. Here's a comprehensive breakdown and guidance on bolstering your defences.
A Deep Dive into the HTTP/2 Rapid Reset Flaw
HTTP/2 is integral to the internet's functioning, and the discovered flaw, when exploited, presents severe vulnerabilities. To take advantage of this flaw, a malicious actor sends and immediately cancels a request repeatedly over the same HTTP/2 connection. By scaling this "request, cancel" pattern thousands of times, an attacker can essentially disable any HTTP/2 implementation. This results in DDoS attacks at the application layer, causing potentially extensive downtimes and disruptions.
Major companies like Cloudflare and Google have encountered and navigated this issue. Google, for instance, mitigated a DDoS attack reaching a peak of 398 million requests per second that relied on this technique. To put it in perspective, this two-minute-long attack generated more requests than the total number of article views reported by Wikipedia in September 2023.
Mitigating the Threat
Big industry players have led the charge in understanding the attack mechanics and developing mitigation strategies:
-
Patching Systems: Immediate system patching ensures resilience against the HTTP/2 Rapid Reset attack. Companies like Peakhour, Microsoft, and others have tested and patched their systems proactively against this threat.
-
Rate Limiting: Advanced rate limiting has been a recommended action. It provides an extra layer of protection, minimizing the risk of massive request inflows.
-
Collaborative Efforts: The tech industry has shown solidarity in battling this flaw. Google and Microsoft have both shared intelligence and collaborated with other cloud providers and software maintainers implementing the HTTP/2 protocol stack. This has resulted in patches and mitigation techniques now employed by numerous large infrastructure providers.
What's Next for Users and Enterprises?
If you're an enterprise or individual serving an HTTP-based workload online, it's essential to understand the risk this attack poses. Verify that servers supporting HTTP/2 are either not vulnerable or have applied the necessary patches. Always stay informed and consider reaching out to your service providers or account representatives for configuration assistance and guidance.
While the HTTP/2 Rapid Reset flaw presents a significant threat, coordinated efforts and proactive measures can help navigate these digital challenges. Stay informed, implement recommended actions, and continue to prioritize digital security in this ever-evolving landscape.
Discover how Peakhour's Application Security Platform provides robust protection against Layer 7 DDoS attacks, including the HTTP/2 Rapid Reset vulnerability. Contact our team to secure your infrastructure.
