Zero-Day Vulnerability in HTTP/2 Protocol Caused Unprecedented Surge in DDoS Attacks
Google to require passkeys for default sign-in, EU commissioner gives Musk 24 hours to answer for Hamas war misinformation, Utah latest state to sue TikTok, Microsoft patches 100+ flaws, much more
Cloudflare, Google, Microsoft, and Amazon all say they successfully mitigated what two of the companies called the biggest DDoS layer 7 attacks they’ve recorded in August and September.
The companies say the attacks were possible because of a zero-day vulnerability in the HTTP/2 protocol they’ve named “HTTP/2 Rapid Reset,” tracked as CVE-2023-44487.
HTTP/2 speeds up page loading by allowing for multiple simultaneous requests to a website over a single connection. Cloudflare writes that these attacks apparently involved an automated cycle of sending and immediately canceling “hundreds of thousands” of requests to websites that use HTTP/2, overwhelming servers and taking them offline.
Google says Rapid Reset works because it relies on the ability of an endpoint to send a RST_STREAM frame immediately after sending a reque…
Keep reading with a 7-day free trial
Subscribe to Metacurity to keep reading this post and get 7 days of free access to the full post archives.