There’s been a shift in the cybersecurity landscape, rocking the pillars of the internet. I am talking about the profound impact of a new Distributed Denial of Service (DDoS) method that has emerged, it’s making all of the previous attack records seem like jokes.
This innovative method, named ‘HTTP/2 Rapid Reset,’ has been buzzing in the tech underworld since late August. If the reported numbers give you chills, it’s because they represent an entire new level of internet threats, with attacks hitting the 200-398 million requests per second range, something previously unheard of.
Let’s break it down, what exactly is this HTTP/2 Rapid Reset? Clever in its simplicity, it abuses protocol features designed to limit overloading servers with too many active streams. Instead of acting nicely, hackers are leveraging the ‘request cancellation’ feature of HTTP/2 to choke servers with endless streams of requests. Here’s the sneaky bit; they then promptly cancel these requests, forcing servers to deal with a literal ocean of resets. The result is like a freeway during rush hour: complete gridlock.
The cunning simplicity of the attack means it’s tough to mitigate effectively with folks over at Cloudflare noting that it managed to strain their system, even before the requests could reach the point of blocking. However, tech giants are already armoring up to deal with this menace. Cloudflare’s particularly proud of its ‘IP Jail’ system, which temporarily bars misbehaving IPs from using HTTP/2 on any Cloudflare domain.
Amazon and Google have also sprung into action, with Amazon maintaining the availability of its customer services despite the onslaught. All three industry leaders suggest boosting DDoS resilience and using all on-hand HTTP-flood protection tools to weather the storm. Software developers are on the case too. They’re implementing rate controls to reduce the impact of HTTP/2 Rapid Reset attacks.
But, you may be thinking, isn’t there a straightforward fix? It’s not that simple. Since this method goes for the jugular of the HTTP/2 protocol itself, it isn’t a case of patching a single loophole, but rather mitigating the abuse of the protocol’s inherent feature.
In a world where web security matters more than ever, anybody who uses the internet would be wise to stay informed about these new developments. As we become increasingly dependent on technology in our everyday lives, staying one step ahead of hackers and cyber threats must be a priority. Trust me, folks; you’ll thank me when your favorite eCommerce store is still operational and not stuck in traffic on the data highway.