Leading tech giants Google, Amazon, Microsoft, and Cloudflare recently disclosed that they successfully defended against massive distributed denial of service (DDoS) attacks on their cloud infrastructure in August and September. DDoS attacks, which aim to overwhelm a service with excessive traffic, have long plagued the internet, and hackers continuously develop new tactics to make them more potent. However, these recent attacks drew considerable attention due to the exploitation of a vulnerability in a fundamental web protocol. As a result, while efforts to patch the vulnerability are underway, comprehensive fixes must be implemented across all global web servers to fully eradicate these types of attacks.
Named “HTTP/2 Rapid Reset,” this vulnerability can only be exploited for denial of service attacks and does not enable attackers to take control of a server or extract data remotely. Nevertheless, even a straightforward attack can have severe repercussions, as availability is crucial for accessing any digital service, from critical infrastructure to essential information.
Emil Kiner and Tim April from Google Cloud emphasized the wide-ranging impact of DDoS attacks on victim organizations, including business losses and the unavailability of mission-critical applications. They further noted that recovery from such attacks can extend well beyond the attack’s duration.
The origin of this vulnerability is noteworthy as well. Rapid Reset is not tied to a specific software but resides in the specification for the HTTP/2 network protocol, which is used for loading webpages. Developed by the Internet Engineering Task Force (IETF) approximately eight years ago, HTTP/2 is the faster and more efficient successor to the traditional HTTP protocol. HTTP/2’s extensive adoption is due to its improved performance on mobile devices and reduced bandwidth usage. Currently, IETF is working on developing HTTP/3.
Lucas Pardue and Julien Desgats of Cloudflare highlighted that since the attack exploits an inherent weakness in the HTTP/2 protocol, any vendor utilizing HTTP/2 is susceptible. While a minority of implementations seem unaffected by Rapid Reset, Pardue and Desgats stressed that the issue is relevant to “every modern web server.”
Unlike vulnerabilities in specific software, a flaw in a protocol cannot be fixed by a single central entity because each website implements the standard differently. While major cloud services and DDoS defense providers play a crucial role in securing their infrastructure, organizations and individuals running their own web servers must develop their own protective measures.
Dan Lorenc, CEO of ChainGuard, a software supply chain security company, noted that this situation underscores the value of open source availability and code reuse. Many web servers likely adopted their HTTP/2 implementation from existing sources rather than building from scratch. If these projects are well-maintained, they will develop Rapid Reset fixes that can be widely deployed.
However, the process of full adoption of these patches will take years, and some services might have implemented their own HTTP/2 from scratch, leaving them vulnerable without a patch from another source.
Lorenc added that the big tech companies discovered this vulnerability while it was being actively exploited. The vulnerability can be exploited to disrupt operational technology or industrial control systems, which raises significant concerns.
Though the recent string of DDoS attacks on major tech companies raised alarm bells due to their scale, these companies were able to repel the attacks without lasting damage. However, the attacks did expose the vulnerability in the protocol and its potential exploitation, also known as “burning a zero day” in the security community. Despite the time required for patching and the long-term vulnerability of some web servers, the internet is now safer because attackers revealed the flaw.
Lorenc expressed curiosity about why someone decided to expose this vulnerability, considering its novelty and potential value if kept secret or sold for a significant sum.