October 11, 2023 at 08:24AM
Tech companies including Cloudflare, AWS, and Google have responded to the HTTP/2 zero-day vulnerability that led to massive distributed denial-of-service attacks. The attacks exploited the HTTP/2 Rapid Reset feature, resulting in servers being taken down. Organizations like CISA, Microsoft, NGINX, F5, Netty, Apache, Swift, and Linux distributions have issued advisories and provided mitigations for the vulnerability.
Key Takeaways from the Meeting Notes:
1. Major tech companies, including Cloudflare, AWS, and Google, responded to the HTTP/2 zero-day vulnerability that led to large-scale DDoS attacks.
2. DDoS attacks reached unprecedented levels, originating from small botnets but generating hundreds of millions of requests per second.
3. Google, Cloudflare, and AWS implemented additional protections against this attack vector and notified web server software companies to work on patches.
4. The attack method exploits the ‘stream cancellation’ feature of HTTP/2, causing a DoS condition that can take down servers and applications.
5. Various organizations, including CISA, Microsoft, NGINX, OpenSSF, F5, Netty, Apache, Swift, and Linux distributions, have released alerts, advisories, and updates to address the HTTP/2 Rapid Reset vulnerability.
6. Mitigation measures include installing available web server updates, disabling HTTP/2 protocol, limiting applications to HTTP1.1, updating NGINX configuration, and applying fixes released by respective organizations.
7. The OpenSSF emphasized the importance of rapid response to vulnerabilities.
These takeaways summarize the meeting notes regarding the HTTP/2 Rapid Reset vulnerability and the actions taken by organizations to address it.