The unveiling of the 'Rapid Reset' vulnerability in the HTTP/2 protocol, identified as CVE-2023-44487, has signified a notable evolution in the cybersecurity landscape. This vulnerability opened up avenues for attackers to orchestrate formidable denial-of-service (DoS) attacks, though it does not permit remote server takeovers or data exfiltration.
The Genesis of 'Rapid Reset':
The vulnerability emerged from the exploitation of certain features within the HTTP/2 protocol and server implementation details. A significant instance of exploitation began on August 25, 2023, when Cloudflare reported unusually large HTTP attacks against their customers, peaking at over 201 million requests per second—nearly threefold the magnitude of any previous attack recorded by Cloudflare. Intriguingly, a botnet of a mere 20,000 machines was leveraged to generate this immense traffic, reflecting the potential for even larger attacks if larger botnets were deployed.
The Mechanics of the Attack:
The malicious genius of the 'Rapid Reset' attack lies in its exploitation of specific HTTP/2 features, creating a surge of requests that overwhelmed target servers. The specific features of HTTP/2 exploited, and the server implementation details remain under examination, but the overarching technique employed by the attackers represents a novel and potent threat.
Industry stalwarts like Cloudflare, Google, and AWS acted swiftly upon detecting the attacks. They fortified their systems to absorb the brunt of the attacks and engaged in a coordinated disclosure of the attack method to impacted vendors and critical infrastructure providers. Furthermore, they've shared mitigation strategies to help other web servers and services fortify against such attacks.
Recommendations and The Way Forward:
The Cybersecurity and Infrastructure Security Agency (CISA) has exhorted organizations offering HTTP/2 services to apply forthcoming patches, mull over configuration alterations, and explore other mitigation strategies. In the interim, employing DDoS mitigation services such as those offered by Cloudflare stands as a prudent defence mechanism. This incident also serves as a catalyst for the HTTP/2 protocol standards team and teams working on future web standards to augment the design to preclude such vulnerabilities.
The discovery of the 'Rapid Reset' weakness in HTTP/2 has opened our eyes to new cybersecurity challenges. It shows how important it is to always be on the lookout for possible issues, to understand our digital tools better, and to work together to keep our online world safe. This experience teaches us that by joining forces and constantly improving our defences, we can better protect ourselves from evolving online threats.