The Cybersecurity and Infrastructure Security Agency (CISA) is asking organizations that deliver essential internet services to quickly apply updates and patches to their networks after news emerged this week detailing what are thought to be the largest-ever distributed denial-of-service (DDoS) attacks.
The CISA advisory, published on Oct. 10, is warning about a DDoS-related vulnerability in HTTP/2 protocol known as the Rapid Reset – also documented as CVE-2023-44487 – that has been plaguing organizations between August 2023 through October 2023.
“CISA recommends organizations that provide HTTP/2 services apply patches when available and consider configuration changes and other mitigations,” the advisory says.
In a coordinated announcement, Amazon Web Services (AWS), Cloudflare, and Google detailed how the vulnerability has wreaked havoc in the wild.
“The ‘Rapid Reset’ technique leverages the ‘stream multiplexing’ feature of HTTP/2, wherein numerous requests and subsequent immediate cancellations cause substantial server-side workload with minimal client-side attacker cost,” said the organizations.
“The attack takes advantage of a feature in HTTP/2 by repeatedly sending and canceling requests, which overwhelms the target website or application, causing it to stop working correctly,” the companies said.
“These attacks were significantly larger than any previously reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second,” said Google.
One of the specific approaches that the companies are advising others to adopt in order to mitigate HTTP/2 Rapid Reset attacks is to develop a multi-faceted approach.
“Critically, the underpinning preventive measure across all defenses is the vital and timely updating and patching of systems,” said the organizations. “Customers should update their systems with available patches to strengthen against this vulnerability, ensuring a robust barrier against exploitative attacks.”
