Security News > 2023 > October > HTTP/2 'Rapid Reset' zero-day exploited in biggest DDoS deluge seen yet

The method relies on stream multiplexing, a feature of the HTTP/2 protocol that allows multiple HTTP requests to be sent to a server on a single TCP connection.

A feature of the protocol's streaming capability is the ability to send a request and soon after cancel that request, an action known as resetting the request's stream.

A normal HTTP/2-based DDoS attack would involve attackers opening up as many of these streams as possible and waiting for responses to each request from the server or proxy before firing off another flurry of requests, and repeating this over and over.

Rapid Reset attacks get around that limit, allowing many, many more requests to flood a server.

"The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately," as Google engineers Juho Snellman and Daniele Iamartino put it.

Essentially, the process allows attackers to flood servers with more requests than ever seen before, leading to larger-scale DDoS attacks that are difficult to mitigate.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/