HTTP/2 Zero-Day Exploited To Launch Largest DDoS Attacks In History

wiredmikey writes: A zero-day vulnerability named 'HTTP/2 Rapid Reset' has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history. One of the attacks seen by Cloudflare was three times larger than the record-breaking 71 million requests per second (RPS) attack reported by company in February. Specifically, the HTTP/2 Rapid Reset DDoS campaign peaked at 201 million RPS, while Google's observed a DDoS attack that peaked at 398 million RPS. The new attack method abuses an HTTP/2 feature called 'stream cancellation', by repeatedly sending a request and immediately canceling it.

Crappy protocol design

[gweihir]

Either nobody was aware of the security implication or nobody cared. Both are really bad. Amateurs have no business designing Internet protocols.

Re:

[Anonymous Coward]

Paid professionals and experts screw up too, if you know any history of kernel DoS bugs, DDoS's, CVEs, processor bugs, bridge/tower collapses, malpractice, or insurance for any of these.
Nobody has any business designing Internet protocols, but it happens anyway. Sorry man.

Re:

[Anonymous Coward]

Many eyes strikes again.

No more slash-dotted DDoS..

[mrthoughtful]

Meh, I remember when slashdot was a thing.

Disabled.

[rlwinm]

I've always disabled HTTP/2 on every public facing server. Glad I made the right decision.