Record-breaking DDoS attacks facilitated by novel technique thwarted

Google, Cloudflare, and Amazon Web Services were able to avert record-breaking layer 7 distributed denial-of-service attacks leveraging the new HTTP/2 Rapid Reset technique that peaked at 398 million, 201 million, and 155 million requests per second, respectively, reports The Hacker News. Such a technique involves a zero-day vulnerability in the HTTP/2 protocol, which could be exploited to enable quick requests and resets in various HTTP/2 connections that could disrupt overwhelmed websites, according to AWS researchers Tom Scholl and Mark Ryland. Numerous iterations of Rapid Reset attacks were observed by Google Cloud researchers, who noted that newer versions were more efficient despite being less effective than the original variant. The emergence of DDoS attacks using the Rapid Reset technique should prompt immediate strengthening of HTTP/2 defenses, said Cloudflare Chief Security Officer Grant Bourzikas. "After today, threat actors will be largely aware of the HTTP/2 vulnerability; and it will inevitably become trivial to exploit and kick off the race between defenders and attacks first to patch vs. first to exploit," Bourzikas added.