On October 10, 2023, Cloudflare, Google, and Amazon AWS disclosed a new zero-day vulnerability dubbed the “HTTP/2 Rapid Reset” attack. This attack exploits a weakness in the HTTP/2 protocol to generate enormous, hyper-volumetric Distributed Denial of Service (DDoS) attacks.
DDoS attacks are designed to overwhelm a website or server with traffic, making it unavailable to legitimate users. Hyper-volumetric DDoS attacks are particularly dangerous because they can generate massive amounts of traffic, which can be difficult to mitigate even for large companies.
The HTTP/2 Rapid Reset attack works by sending a large number of HTTP/2 requests to a server. The server then sends back a “reset” message, which tells the client to stop sending requests. However, the attacker can keep sending requests even after receiving the reset message. This can cause the server to become overloaded and unavailable.
Researchers have confirmed that the HTTP/2 Rapid Reset vulnerability has been used to launch some of the largest DDoS attacks in history. For example, in October 2023, Cloudflare mitigated a DDoS attack using this vulnerability that peaked at 4.2 terabits per second (Tbps). This is the largest DDoS attack ever recorded.
The HTTP/2 Rapid Reset vulnerability is a serious threat to businesses of all sizes. Even small businesses can be targeted by DDoS attacks, and the consequences of a successful attack can be devastating. Businesses can lose revenue, damage their reputation, and even go out of business as a result of a DDoS attack.
There are a number of things that businesses can do to protect themselves from DDoS attacks, including:
If you are concerned about the HTTP/2 Rapid Reset vulnerability, contact Be Secure Cyber to discuss how to mitigate against attacks like this and safeguard your online presence.
In addition to the tips above, there are a number of other things that you can do to protect your business from DDoS attacks, including:
Contact Be Secure Cyber today and we can help you plan to protect your business against cyber threats.
(We take no responsibility for the content of external links.)
© Be Secure Cyber Ltd 2023