Google, Amazon, Microsoft, and Cloudflare revealed this week that they battled massive, record-setting distributed denial of service attacks against their cloud infrastructure in August and September. DDoS attacks, in which attackers attempt to overwhelm a service with junk traffic to bring it down, are a classic internet menace, and hackers are always developing new strategies to make them bigger or more effective. The recent attacks were particularly noteworthy, though, because hackers generated them by exploiting a vulnerability in a foundational web protocol. This means that while patching efforts are well underway, fixes will need to essentially reach every web server globally before these attacks can be fully stamped out.
Dubbed “HTTP/2 Rapid Reset,” the vulnerability can only be exploited for denial of service—it doesn’t allow attackers to remotely take over a server or exfiltrate data. But an attack doesn’t need to be fancy to cause major problems—availability is vital for access to any digital service, from critical infrastructure to crucial information.
“DDoS attacks can have wide-ranging impacts to victim organizations, including loss of business and unavailability of mission-critical applications,” Google Cloud’s Emil Kiner and Tim April wrote this week. “Time to recover from DDoS attacks can stretch well beyond the end of an attack.”
Another facet of the situation is where the vulnerability came from. Rapid Reset isn’t in a particular piece of software but in the specification for the HTTP/2 network protocol used for loading webpages. Developed by the Internet Engineering Task Force (IETF), HTTP/2 has been around for about eight years and is the faster, more efficient successor to the classic internet protocol HTTP. HTTP/2 works better on mobile and uses less bandwidth, so it has been extremely widely adopted. IETF is currently developing HTTP/3.
“Because the attack abuses an underlying weakness in the HTTP/2 protocol, we believe any vendor that has implemented HTTP/2 will be subject to the attack,” Cloudflare’s Lucas Pardue and Julien Desgats wrote this week. Though it seems that there are a minority of implementations that are not impacted by Rapid Reset, Pardue and Desgats emphasize that the problem is broadly relevant to “every modern web server.”
Unlike a Windows bug that gets patched by Microsoft or a Safari bug that gets patched by Apple, a flaw in a protocol can’t be fixed by one central entity because each website implements the standard in its own way. When major cloud services and DDoS-defense providers create fixes for their services, it goes a long way toward protecting everyone who uses their infrastructure. But organizations and individuals running their own web servers need to work out their own protections.