Developers and administrators of web servers are being warned to install patches to fix a critical zero-day vulnerability in a key protocol that led to a recent record-smashing denial of service attack.
Dubbed Rapid Reset, it leverages HTTP/2’s stream cancellation feature by sending a request and immediately canceling it, over and over. By automating what Cloudflare calls a trivial “request, cancel, request, cancel” pattern at scale, threat actors are able to create a denial of service and take down any server or application running the standard implementation of HTTP/2.
“I don’t mean to be alarmist,” Grant Bourzikas, Cloudflare’s chief security officer said, “but I will be direct: you must take this seriously. Treat this as a full active incident to ensure nothing happens to your organization.”
“Anyone whose core business involves the availability of online services could be impacted,” said Jamie Scott, founding product manager at Endor Labs and a volunteer consultant for the Center for Internet Security.
“SaaS services, e-commerce sites, and critical online information services are those that could see the biggest impact. For many organizations, service availability directly translates to revenue and the denial of that availability is a direct hit to their top line. Anyone whose core business involves the availability of online services could be impacted. And as today’s economy and services shift online, those most impacted will be organizations without mature denial of service attack protection.”
Scott urged admins to monitor their commercial and open-source web proxy and web server solutions for any patches available and update as soon as possible.
“DDoS protection vendors and services have observed this attack and helped put mitigations in place before making the novel approach widely known,” he added. “This should broadly reduce the impact across industries. And this is an example of well implemented threat intelligence sharing programs.”
The warning comes after Cloudflare, Google, and Amazon said Tuesday a vulnerability in the HTTP/2 performance protocol used in servers is being exploited to launch huge distributed denial of service attacks. In one instance, a botnet of a mere 20,000 compromised servers launched a massive attack. The companies quietly alerted server vendors to allow them time to develop patches and mitigations
Cloudflare, a denial-of-service attack mitigation service, called it a novel attack vector used at an unprecedented scale. Application developers have already been notified to patch their software.
In its alert, Cloudflare said the weakness in the HTTP/2 protocol can generate “enormous, hyper-volumetric” DDoS attacks to paralyze a target website.
Attackers use this tactic to either harass the victim or distract it from a cyber attack on another part of its network.
Cloudflare says it mitigated a barrage of these attacks in recent months, including an attack three times larger than any previous attack its seen, which exceeded 201 million requests per second (rps). In the absence of patches, it developed purpose-built new technology to stop this particular type DDoS attacks.