HTTP/2 Rapid Reset: The New Threat Looming Over the Web
In the ever-evolving world of web security, a new threat has emerged that has the potential to wreak havoc on virtually every website. This threat, known as the HTTP/2 Rapid Reset vulnerability, has been publicly announced by tech giants like Cloudflare, Amazon Web Services (AWS), and Google.
Understanding the HTTP/2 Rapid Reset Exploit
The vulnerability primarily targets the HTTP/2 and HTTP/3 network protocols. These protocols allow for multiple streams of data to be exchanged between a server and a browser simultaneously. This means that browsers can request multiple resources from a server and receive them all at once, rather than waiting for each resource to download sequentially.
However, this efficiency comes at a cost. The exploit, dubbed HTTP/2 Rapid Reset, can be used to overwhelm servers by sending millions of requests and cancellations in rapid succession. The sheer volume of these requests can cause servers to crash, making websites inaccessible.
The Scale of the Threat
To put the severity of this vulnerability into perspective, Cloudflare reported blocking a DDOS attack that was a staggering 300% larger than any previous attack, with a rate exceeding 201 million requests per second (RPS). Google, on the other hand, reported an attack that surpassed 398 million RPS.
What’s even more alarming is the ease with which these attacks can be launched. Traditional DDOS attacks of this magnitude would require a botnet comprising hundreds of thousands, if not millions, of infected computers. The HTTP/2 Rapid Reset exploit, however, can achieve three times the impact with as few as 20,000 infected computers.
Defending Against the HTTP/2 Rapid Reset Vulnerability
While the threat is real and present, there’s a silver lining. Server software companies are working tirelessly to develop patches to address this vulnerability. For instance, Cloudflare has already taken measures to protect its customers. In extreme cases, where servers are under attack and left defenseless, administrators can downgrade the HTTP network protocol to HTTP/1.1. This action will halt the attack, albeit at the cost of reduced server performance.
For those keen on delving deeper into this topic, here are some essential reads: