Server software companies are in a race to swiftly address a critical DDOS vulnerability, one that has the potential to impact nearly every website.

Information has emerged about an innovative form of DDOS attack that can be initiated with surprisingly minimal resources, posing a substantial threat to websites. Server software companies are racing to deploy patches to guard against this unprecedented-scale attack.

HTTP/2 Rapid Reset Vulnerability

This exploit capitalizes on the HTTP/2 and HTTP/3 network protocols, enabling concurrently transmitting multiple data streams between a server and a browser. In practical terms, this allows the browser to request various resources from a server and receive them in parallel rather than having to await the download of each resource sequentially.
The vulnerability known as HTTP/2 Rapid Reset was publicly disclosed by notable tech companies like Cloudflare, Amazon Web Services (AWS), and Google.
The implications of this security issue are widespread because most contemporary web servers rely on the HTTP/2 network protocol.
Currently, no software patch exists to rectify the HTTP/2 security vulnerability, rendering virtually all servers susceptible to exploitation. This type of novel, unmitigated exploit is commonly referred to as a “zero-day exploit.”

Understanding the Mechanics of the HTTP/2 Rapid Reset Vulnerability

Within the HTTP/2 network protocol, a server setting permits a defined quantity of concurrent requests.
Any requests exceeding this specified limit are automatically declined.
The HTTP/2 protocol possesses a function that enables the cancellation of a request, effectively eliminating the corresponding data stream from the predetermined request limit. This cancellation feature is advantageous as it allows the server to process another data stream promptly.
However, the vulnerability lies in the revelation that attackers can inundate a server by sending overwhelming requests and cancellations, potentially reaching the scale of millions.

The Severity of HTTP/2 Rapid Reset

The impact of the HTTP/2 Rapid Reset exploit is exceptionally grave due to the absence of effective defenses against it at present.
Cloudflare reported thwarting a DDOS attack that was a staggering 300% larger than any previous recorded DDOS attack.
The most significant attacks exceeded 201 million requests per second (RPS).
Additionally, Google has documented a DDOS attack surpassing a massive 398 million RPS.
However, the gravity of this exploit extends beyond these statistics. What makes it even more ominous is that it demands only a relatively modest amount of resources to initiate an attack.
DDOS attacks of this magnitude traditionally require hundreds of thousands to millions of compromised computers (commonly called a botnet) to execute attacks on this scale. In stark contrast, the HTTP/2 Rapid Reset exploit requires as few as 20,000 compromised computers to launch attacks three times larger than the most extensive DDOS attacks ever witnessed.
This lower threshold means that malicious actors can more easily gain the capacity to launch devastating DDOS assaults.

Defending Against HTTP/2 Rapid Reset

Server software providers are actively developing patches to address the vulnerability associated with the HTTP/2 exploit. Customers utilizing Cloudflare services can rest assured, as they are already shielded from this threat.
In a worst-case scenario where a server is under attack and remains defenseless, server administrators can downgrade the network protocol from HTTP/2 to HTTP/1.1. While this action will halt the attackers from persisting in their assaults, it’s worth noting that it may decrease server performance. Nevertheless, this performance reduction is preferable to the server being offline.

If you’re still grappling with complexity and confusion, consider exploring our monthly SEO packages. Let our industry experts take the reins and manage it for you.