A major cloud service provider has announced the discovery of a DDoS vulnerability in HTTP/2, known as CVE-2023-44487, called Rapid Reset. This exploit takes advantage of the stream feature in HTTP/2, which allows clients to request and quickly cancel new streams. Even smaller botnets can now generate an overwhelming number of requests.
Web servers have started releasing patches, such as nginx, which has implemented a condition where the number of new streams opened in each work cycle must not exceed twice the maximum concurrent streams. Additionally, if clients exhibit immediate stream opening and closing behavior, they will also be locked. Other web servers, such as envoy, Go 1.21.3, and Caddy 2.7.5, are gradually rolling out patches as well.
This vulnerability opens the door for larger botnet groups to launch more potent attacks. Google has already detected an attack reaching 398 million requests per second, which is 7.5 times larger than last year’s largest attack. Overall, the scale of these massive attacks has significantly increased.
TLDR: A DDoS vulnerability in HTTP/2 called Rapid Reset has been disclosed by a major cloud service provider. This vulnerability allows botnets, big and small, to generate a high volume of requests. Patches have been released for various web servers, including nginx, envoy, Go, and Caddy. Google has observed a significant increase in the scale of DDoS attacks exploiting this vulnerability, with one attack reaching 398 million requests per second, 7.5 times larger than the previous year.