HTTP/2 Rapid Reset Attack: HTTP/2 Zero-Day Vulnerability Rocks Cybersecurity World

HTTP/2 Rapid Reset

Today, a new cyber threat has shaken the very foundations of the digital world. Leading internet giants, Cloudflare, Google, and Amazon AWS, have announced the discovery of an alarming zero-day vulnerability, the “HTTP/2 Rapid Reset” attack. The vulnerability, tracked as CVE-2023-44487, leverages the HTTP/2 protocol, which is crucial for the smooth functioning of the Internet, in a cunning manner to launch potent Distributed Denial of Service (DDoS) attacks.

In recent months, Cloudflare, the spearhead of cybersecurity innovation, has been at the forefront, neutralizing a deluge of these attacks. Some of these onslaughts have broken records, with one attack skyrocketing past the 201 million requests per second (rps) mark, a staggering threefold increase from any prior attack on their radar. As of August end, Cloudflare’s defenses have been tested by over 1,100 attacks exceeding 10 million rps and a jaw-dropping 184 that surpassed their prior record of 71 million rps.

Diving into the mechanics of this new threat, the “Rapid Reset” attack manipulates the stream cancellation feature of the HTTP/2 protocol. The seemingly innocuous pattern of sending and then instantly canceling a request is automated and executed at an astonishing scale by cyber adversaries. This results in an overwhelming denial of service that can paralyze any server or application relying on the HTTP/2 protocol. The terrifying fact? A moderately sized botnet of about 20,000 machines was enough to harness this vulnerability and produce an attack of such enormity.

Cloudflare’s infrastructure faced intermittent instabilities, with some components being overwhelmed, leading to fleeting performance disruptions for a handful of their clients. However, Cloudflare’s robust systems quickly brought these issues under control and fortified defenses for all users. The incident catalyzed the initiation of a responsible disclosure procedure, with Cloudflare joining forces with industry stalwarts to enhance global internet security before making this public knowledge.

This zero-day provided threat actors with a critical new tool in their Swiss Army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before,” Grant Bourzikas, chief security officer at Cloudflare, said.

While “perfect disclosures” remain elusive, Cloudflare’s guiding principle is an “assume-breach” mindset. This means being perpetually vigilant, as new threats, evolving cybercriminal groups, and uncharted attack techniques will continue to emerge. This mindset has enabled Cloudflare not only to mitigate attacks but also to collaborate with industry peers, ensuring the collective security of the digital realm.

In light of these events, Cloudflare has innovatively engineered new technologies to thwart DDoS attacks of such magnitude, further amplifying their defensive capabilities. This is a testament to their unwavering commitment to protecting their clients. They have also engaged with web server software partners to expedite patch development, making sure the vulnerability is sealed.

One might wonder, why was Cloudflare, with its state-of-the-art DDoS defense mechanisms, one of the initial targets. The answer lies in the strategic thinking of these cyber criminals. These threat actors test their tools against formidable opponents like Cloudflare to gauge their weapon’s strength and efficacy. By targeting Cloudflare, they could extract insights from the company’s public performance data. Yet, this strategic oversight on their part gave Cloudflare the upper hand, allowing them to develop countermeasures that benefit the broader digital community.

AWS, Google Cloud, F5, and Swift are aware of CVE-2023-44487, also known as “HTTP/2 Rapid Reset Attack,” related to HTTP/2 capable web servers where rapid stream generation and cancellation can result in additional load which could lead to a Denial of Service. These companies have issued various protections to address Layer 7 request floods, and have implemented additional mitigations to address this issue.

In conclusion, as cyber threats evolve, so does Cloudflare’s resolve to build a safer Internet. Their proactive collaboration with industry partners and governments underscores their dedication to enhancing cyber resiliency globally.