HQ/EMEAFind out how we can help your business
Cybersecurity experts have disclosed a new development in the cybersecurity landscape involving a previously unknown zero-day vulnerability that malicious actors have ruthlessly exploited, dubbed the ‘HTTP/2 Rapid Reset.’
This zero-day vulnerability has been exploited by cybercriminals in the wild, giving rise to the most massive distributed denial-of-service (DDoS) assaults on the internet. Following extensive analysis unravels a history of an unidentified threat actor utilising a weakness within the widely adopted HTTP/2 protocol to execute what has been described as massive and hyper-volumetric DDoS attacks.
During the HTTP/2 Rapid Reset zero-day vulnerability DDoS onslaught, the complete scale of the attacks left security experts in awe.
Amidst the HTTP/2 Rapid Reset DDoS onslaught, a massive attack incident reached peak at 201 million requests per second (RPS), which was over three times the record-breaking 71 million RPS attacks reported in February.
In another incident, an attack peaked at a staggering 398 million RPS, exceeding by more than sevenfold any previous attack experienced by an involved internet entity. Furthermore, for over two days in late August, there were over a dozen HTTP/2 Rapid Reset attacks, with the largest reaching 155 million RPS.
Exploiting an HTTP/2 feature known as ‘stream cancellation,’ the novel attack method revolves around sending a request and promptly cancelling it in a recurring pattern. Through the automation of this simplistic ‘request, cancel, request, cancel’ sequence on a substantial scale, threat actors can effectively orchestrate a denial of service, rendering servers and applications vulnerable to disruption.
Astonishingly, the record-breaking attack directed at their clients was orchestrated by a mere 20,000 compromised devices within a botnet, notably smaller in scale matched to the hundreds of thousands or even millions of machines typically witnessed in attacks.
The vulnerability, affecting all web servers using HTTP/2, is referred to as CVE-2023-44487, garnering a ‘high severity’ classification and a CVSS score of 7.5.
In response to this threat, cybersecurity organisations have reinforced their existing DDoS defences and introduced supplementary measures. Additionally, web server software providers have been alerted and are actively developing patches to preempt vulnerability exploitation.
The gravity of the situation was underscored by a warning, emphasising the risk posed by this attack to both enterprises and individuals with HTTP-based workloads on the internet and highlighting the potential vulnerability of web applications, services, and APIs that communicate using the HTTP/2 protocol. In mitigating the impact of this attack vector, organisations are urged to ensure their servers supporting HTTP/2 are secure or to implement vendor patches for CVE-2023-44487.
