Warning to website admins: HTTP/2 zero-day causes massive DDoS attacks, patch now

Share post:

Developers and administrators of web servers are being warned to install patches to fix a critical zero-day vulnerability in a key protocol that led to a recent record-smashing denial of service attack.

Dubbed Rapid Reset, it leverages HTTP/2’s stream cancellation feature by sending a request and immediately canceling it, over and over. By automating what Cloudflare calls a trivial “request, cancel, request, cancel” pattern at scale, threat actors are able to create a denial of service and take down any server or application running the standard implementation of HTTP/2.

“I don’t mean to be alarmist,” Grant Bourzikas, Cloudflare’s chief security officer said, “but I will be direct: you must take this seriously. Treat this as a full active incident to ensure nothing happens to your organization.”

“Anyone whose core business involves the availability of online services could be impacted,” said Jamie Scott, founding product manager at Endor Labs and a volunteer consultant for the Center for Internet Security.

“SaaS services, e-commerce sites, and critical online information services are those that could see the biggest impact. For many organizations, service availability directly translates to revenue and the denial of that availability is a direct hit to their top line. Anyone whose core business involves the availability of online services could be impacted. And as today’s economy and services shift online, those most impacted will be organizations without mature denial of service attack protection.”

Scott urged admins to monitor their commercial and open-source web proxy and web server solutions for any patches available and update as soon as possible.

“DDoS protection vendors and services have observed this attack and helped put mitigations in place before making the novel approach widely known,” he added. “This should broadly reduce the impact across industries. And this is an example of well implemented threat intelligence sharing programs.”

The warning comes after Cloudflare, Google, and Amazon said Tuesday a vulnerability in the HTTP/2 performance protocol used in servers is being exploited to launch huge distributed denial of service attacks. In one instance, a botnet of a mere 20,000 compromised servers launched a massive attack. The companies quietly alerted server vendors to allow them time to develop patches and mitigations

Cloudflare, a denial-of-service attack mitigation service, called it a novel attack vector used at an unprecedented scale. Application developers have already been notified to patch their software.

In its alert, Cloudflare said the weakness in the HTTP/2 protocol can generate “enormous, hyper-volumetric” DDoS attacks to paralyze a target website.

Attackers use this tactic to either harass the victim or distract it from a cyber attack on another part of its network.

Cloudflare says it mitigated a barrage of these attacks in recent months, including an attack three times larger than any previous attack its seen, which exceeded 201 million requests per second (rps). In the absence of patches, it developed purpose-built new technology to stop this particular type DDoS attacks.

The post Warning to website admins: HTTP/2 zero-day causes massive DDoS attacks, patch now first appeared on IT World Canada.
Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs

SUBSCRIBE NOW

Related articles

Cyber Security Today, Week in Review for week ending Friday, Feb. 23, 2024

This episode features discussion on the takedown of the LockBit ransomware gang

Breaking news: RCMP facing ‘alarming’ cyber attack

The RCMP is facing a serious cyber attack from an unspecified threat actor. The Mounties told CBC News today that a “breach of this magnitude is alarming.” “The situation is evolving quickly but at this time, there is no impact on RCMP operations and no known threat to the safety and security of Canadians,” a spokesperson

Leaked documents may show the inside of China’s hacking strategy

Documents apparently stolen by disgruntled employees to embarrass their firm may give insight into China's cyber

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways