Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history.
Cloudflare started analyzing the attack method and the underlying vulnerability in late August. The company says an unknown threat actor has exploited a weakness in the widely used HTTP/2 protocol to launch “enormous, hyper-volumetric” DDoS attacks.
One of the attacks seen by Cloudflare was three times larger than the record-breaking 71 million requests per second (RPS) attack reported by company in February. Specifically, the HTTP/2 Rapid Reset DDoS campaign peaked at 201 million RPS.
In Google’s case, the company observed a DDoS attack that peaked at 398 million RPS, more than seven times the largest attack the internet giant had previously seen.
Amazon saw over a dozen HTTP/2 Rapid Reset attacks over the course of two days in late August, with the largest peaking at 155 million RPS.
The new attack method abuses an HTTP/2 feature called ‘stream cancellation’, by repeatedly sending a request and immediately canceling it.
Comments
\(°ロ\)
There's nothing here…