Cybersecurity Threat Advisory: HTTP/2 vulnerability
Amazon Web Services (AWS), Cloudflare, and Google announced measures to mitigate unprecedented distributed denial-of-service (DDoS) attacks that utilize an innovative HTTP/2 Rapid Reset technique. In this Cybersecurity Threat Advisory, learn the details of this threat, what the risks are, and how to mitigate the risk.
What is the threat?
HTTP/2 Rapid Reset exploits a weakness in the HTTP/2 protocol to generate enormous, hyper volumetric DDoS attacks. A DDoS attack is when attackers disrupt normal traffic of a targeted server, service, or network by overwhelming the target with a flood of internet traffic. This zero-day vulnerability enables threat actors with a critical exploitation to deliver attacks of a magnitude never before witnessed.
Why is it noteworthy?
Rapid Reset isn’t in a particular piece of software but in the specification for the HTTP/2 network protocol used for loading webpages. Since threat actors can abuse the underlying weakness in the HTTP/2 protocol, any vendor that has implemented HTTP/2 will be subject to the attack. Unlike a Windows or Safari bug that gets patched by Microsoft or Apple, a flaw in a protocol can’t be fixed by one central entity as each website implements the standard in its own way. Organizations and individuals must work on their own protection to mitigate risk from this vulnerability.
What is the exposure or risk?
HTTP/2 is used by 35.6 percent of all websites. The percentage of requests that use HTTP/2 is at 77 percent per data. Google Cloud has observed multiple variants of the Rapid Reset attack. While it is not as effective as the initial version, this vulnerability provide more efficiency than the standard HTTP.2 DDoS attacks.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of HTTP/2 DDoS attacks:
- Understand your external and partner network’s external connectivity to remediate any Internet facing systems with the mitigations below.
- Ensure your DDoS Protection resides outside of your data center because if the traffic gets to your datacenter, it will be difficult to mitigate the DDoS attack.
- As a last resort, consider turning off HTTP/2 and HTTP/3 (likely also vulnerable) to mitigate the threat. This is a last resort only, because there will be a significant performance issues if you downgrade to HTTP/1.1
- Deploy web server and OS patches to all Internet-facing servers, and ensure automation, such as Terraform builds and images, is up to date to prevent accidental deployment of outdated web server versions over secure images in production.
For more in-depth information on the recommendations, please visit the following links:
- HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks (thehackernews.com)
- HTTP/2 Rapid Reset: A New Protocol Vulnerability Will Haunt the Web for Years | WIRED
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.