October 10, 2023 at 10:13AM – New ‘HTTP/2 Rapid Reset’ zero-day attack breaks DDoS records

October 10, 2023 at 10:13AM

A new DDoS technique named ‘HTTP/2 Rapid Reset’ has been actively exploited as a zero-day since August, breaking all previous records in magnitude. Amazon Web Services, Cloudflare, and Google report mitigating attacks reaching 155 million requests per second (Amazon) and 201 million rps (Cloudflare). Cloudflare has detected over a thousand attacks using this technique, which exceeds their previous record. The attack exploits a zero-day vulnerability in the HTTP/2 protocol, overwhelming the target server/application and imposing a DoS state. Cloudflare recommends using HTTP-flood protection tools and bolstering DDoS resilience to counter this type of attack.


A new DDoS technique called ‘HTTP/2 Rapid Reset’ has been exploited as a zero-day vulnerability since August, resulting in record-breaking attacks. Cloudflare, Amazon Web Services, and Google have coordinated their response to mitigate the attacks, with Cloudflare reporting attacks reaching 201 million requests per second. The attack method exploits a weakness in the HTTP/2 protocol and overwhelms target servers/applications by continuously sending and canceling requests. Cloudflare has detected and mitigated over a thousand attacks, with the attack size being three times bigger than their previous record. The firms recommend using all available HTTP-flood protection tools and strengthening DDoS resilience to counter these attacks.

Full Article – https://ift.tt/92rUTpK