HTTP/2 Rapid Reset Sets DDOS Intensity Record

New DDOS Attack “HTTP/2 Rapid Reset” Sets Record in Scale

The new DDOS attack technology called “HTTP/2 Rapid Reset” has been actively used as a Zero-day attack since August this year, having broken all previous records in scale.

News about Rapid Reset have appeared today as a result of coordinated reports of AWS, Cloudflare, and Google, which represent the softening of attacks reaching 155 million requests per second according to Amazon, 201 201 million requests according to Cloudflare, and 398 million requests per second according to Google.

It is noteworthy that to achieve such power, a relatively small botnet-network of 20 thousand cars was used. However, there are botnets of hundreds of thousands and even millions of devices. The impact of using Rapid Reset in their attacks is uncertain.

Cloudflare experts report that since August this year, more than a thousand different DDOS attacks have been recorded using the HTTP/2 Rapid Reset method.

This new method exploits a zero-day vulnerability, known as cve-2023-44487. It takes advantage of the HTTP/2 protocol’s flaw, by using the function of canceling the flow for continuous sending and canceling requests, which instantly leads to server overload.

In HTTP/2, protection is provided in the form of a parameter that limits the number of simultaneously active flows to prevent DOS attacks, but this measure is not always effective.

Google explained that “the protocol does not require the client and the server to coordinate the cancellation; the client can do it on its

/Reports, release notes, official announcements.