October 10, 2023 at 09:54AM
A new zero-day vulnerability called ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch massive distributed denial-of-service (DDoS) attacks. Cloudflare, Google, and AWS have all experienced record-breaking attacks, with the largest reaching 398 million requests per second. The attacks leverage a feature in the HTTP/2 protocol and have prompted companies to develop patches to address the vulnerability.
Key Takeaways from the Meeting Notes:
– Cloudflare, Google, and AWS have reported a new zero-day vulnerability called ‘HTTP/2 Rapid Reset’ that has been exploited by malicious actors for launching large-scale DDoS attacks.
– Cloudflare researchers began investigating the vulnerability in late August and discovered that an unknown threat actor has been using the weakness in the HTTP/2 protocol to carry out massive DDoS attacks.
– The DDoS attacks were extremely volumetric, with one of the attacks being three times larger than the previous record-breaking attack reported by Cloudflare in February.
– Google experienced a DDoS attack that reached 398 million RPS, while Amazon faced several HTTP/2 Rapid Reset attacks, with the largest peaking at 155 million RPS.
– The attack method utilizes the ‘stream cancellation’ feature of HTTP/2, where requests are repeatedly sent and immediately canceled, causing a denial of service and taking down servers or applications.
– The record-breaking attack conducted against Cloudflare’s customers was carried out using a botnet of only 20,000 compromised devices.
– The vulnerability is believed to affect all web server vendors implementing HTTP/2 and has been assigned a ‘high severity’ rating with a CVSS score of 7.5.
– Cloudflare, Google, and AWS have published technical details of the attack and have taken measures to protect customers. Web server software companies have been notified and are working on developing patches to prevent exploitation of the vulnerability.
– The meeting notes also reference other DDoS attacks, such as those targeted at the Canadian government and Telegram, as well as guidance released by CISA on adopting DDoS mitigations.
Full Article – https://ift.tt/d0aDvfV