NEWS: The Persistent Threat of HTTP/2 Rapid Reset Vulnerability

October 16, 2023

In recent news, technology giants Google, Amazon, Microsoft, and Cloudflare have reported that they faced an unprecedented series of distributed denial of service (DDoS) attacks on their cloud infrastructures in August and September. DDoS attacks are a persistent threat in the digital space, where hackers constantly devise new methods to amplify their impact. The recent onslaught was particularly significant because the attackers exploited a vulnerability in a fundamental web protocol. This implies that comprehensive patching efforts are required, extending to all web servers globally, to completely eradicate these attacks.


The vulnerability, termed “HTTP/2 Rapid Reset,” can only be utilized for denial of service and does not provide hackers with the ability to remotely control a server or extract data. However, even this level of attack can create significant disruptions, as uninterrupted availability is critical for any digital service, whether it’s vital infrastructure or essential information.


Google Cloud’s Emil Kiner and Tim April highlighted the potential implications of DDoS attacks, including business losses and inaccessibility of mission-critical applications. They also noted that the recovery time from DDoS attacks can extend well beyond the duration of the attack itself.


Another intriguing aspect of this situation is the origin of the vulnerability. Rapid Reset is not linked to a specific software but is embedded in the HTTP/2 network protocol used for loading web pages. This protocol, developed by the Internet Engineering Task Force (IETF), has been in existence for approximately eight years and is a more efficient and faster alternative to the traditional internet protocol HTTP. HTTP/2 is particularly effective for mobile usage and consumes less bandwidth, leading to its widespread adoption. The IETF is currently working on HTTP/3.


Cloudflare’s Lucas Pardue and Julien Desgats stated that any vendor that has implemented HTTP/2 could potentially be targeted by this attack. While there are a few implementations that are not affected by Rapid Reset, Pardue and Desgats stress that this issue is generally applicable to “every modern web server.”


Different from a software-specific bug that can be patched by the respective developer, a protocol flaw cannot be rectified by a single entity because each website employs the standard in its unique way. When large cloud services and DDoS defense providers develop fixes for their services, it significantly contributes to the protection of all users of their infrastructure. However, organizations and individuals operating their own web servers are responsible for implementing their own protective measures.


Dan Lorenc, an experienced open-source software researcher and CEO of software supply chain security firm ChainGuard, suggests that this situation exemplifies the benefits of open-source availability and code reuse. Many web servers have likely borrowed their HTTP/2 implementation from elsewhere instead of creating everything from scratch. If these projects are maintained, they can develop Rapid Reset fixes that can be disseminated to users.


However, achieving full adoption of these patches will take years, and there will still be some services that have independently implemented HTTP/2 from scratch and therefore don’t have a patch available from elsewhere.


Lorenc emphasizes the importance of acknowledging that these tech giants discovered this vulnerability while it was being actively exploited. He warns that this vulnerability can be used to disrupt services like operational technology or industrial control, which is a concerning prospect.


Despite the recent high-profile DDoS attacks on Google, Cloudflare, Microsoft, and Amazon being noteworthy for their scale, these companies managed to successfully fend off the attacks without any lasting damage. However, the mere occurrence of these attacks underlines the importance of vigilance and proactive measures in the face of evolving cybersecurity threats. Segment 2: The hackers, in the course of executing their attacks, disclosed the protocol’s weakness as well as the method to exploit it—an action and its consequence that the cyber security world refers to as “exposing a zero-day vulnerability.” While the process of applying patches will require some time, and certain web servers will continue to be susceptible for a prolonged period, the internet is now more secure than if the attackers had not revealed their strategy by taking advantage of the vulnerability.


“This type of bug in the standard is not common; it’s a unique vulnerability and was a significant discovery for the person or group who first identified it,” states Lorenc. “They could have held onto it or even likely sold it for a substantial sum. I will always be intrigued by the enigma of why someone chose to expose this one.”