“HTTP/2 Fast Reset” Protocol Vulnerability Troubles Internet for Years
“HTTP/2 Fast Reset” Protocol Vulnerability Troubles Internet for Years
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
“HTTP/2 Fast Reset” Protocol Vulnerability Troubles Internet for Years
Google, Amazon, Microsoft, and Cloudflare revealed this week that they experienced massive and record-breaking Distributed Denial of Service (DDoS) attacks against their cloud infrastructure in August and September.
DDoS attacks are a typical internet threat where attackers attempt to inundate services with junk traffic to render them inaccessible.
Hackers have been continually developing new strategies to make these attacks larger and more effective.
However, these recent attacks are particularly notable because hackers exploited a vulnerability in a fundamental network protocol. This means that even though patching efforts are underway, it essentially requires covering all network servers worldwide to fully eliminate these attacks.
This vulnerability is known as the “HTTP/2 Fast Reset” and can only be used for denial of service. Attackers cannot remotely take control of servers or steal data.
Nevertheless, these attacks don’t need to be sophisticated to cause significant problems, as availability is crucial for accessing any digital service, from critical infrastructure to essential information.
Emil Kiner and Tim April of Google Cloud stated this week: “DDoS attacks have broad-reaching impacts on affected organizations, including business losses and unavailability of critical mission applications. The recovery time from DDoS attacks can be far longer than the duration of the attack itself.”
Another aspect of the situation is the origin of the vulnerability. Rapid Reset doesn’t exist in a specific software but resides in the specifications of the HTTP/2 network protocol used to load web pages. Developed by the Internet Engineering Task Force (IETF), HTTP/2 has been in existence for approximately eight years and is a faster and more efficient successor to the classic internet protocol, HTTP. It performs better on mobile devices and consumes less bandwidth, which is why it’s widely adopted. IETF is currently developing HTTP/3.
Lucas Pardue and Julien Desgats of Cloudflare wrote this week: “Since this attack abuses a potential weakness in the HTTP/2 protocol, we believe any vendor implementing HTTP/2 is at risk. While there appear to be a few implementations that are not affected by Rapid Reset, Pardue and Desgats emphasize that this issue is widely relevant to ‘every modern network server.'”
Unlike vulnerabilities in Windows fixed by Microsoft or Safari fixed by Apple, protocol flaws cannot be fixed by a central entity since each website implements the standards in its own way. Major cloud service and DDoS defense providers can largely protect everyone using their infrastructure by creating fix programs for their services. However, organizations and individuals running their own network servers need to establish their protection measures.
Dan Lorenc, CEO of ChainGuard, a software supply chain security company with a long history in open-source software, points out that this situation demonstrates the advantages of open-source availability and code reuse over always building from scratch. Many network servers may have already adopted HTTP/2 implementations from other sources, and if these projects are maintained, they will develop rapid reset fixes and distribute them to users.
Nevertheless, the widespread adoption of these patches will take several years, and some services will still implement their own HTTP/2 from scratch without a patch.
Lorenc states, “It’s worth noting that when big tech companies found this issue, it was being actively exploited. It could be used to take down services like operational technology or industrial control. That’s scary.”
While a recent series of DDoS attacks against Google, Cloudflare, Microsoft, and Amazon has raised concerns due to their massive scale, these companies ultimately mitigated the attacks without causing lasting damage. However, hackers, through these attacks, revealed the existence of protocol vulnerabilities and how to exploit them – a cause-and-effect relationship that the security community calls “burning a zero-day.” Despite the time-consuming nature of the patching process, and the long-term vulnerability of some network servers, the internet is now more secure than it would be if attackers had kept this vulnerability in their arsenal.
Lorenc adds, “It’s unusual to have a vulnerability like this in a standard. It’s a novel one, and it’s a valuable find for the people who discovered it. They could have kept it or possibly sold it for a lot of money. I’ve always been curious why someone decided to ‘burn’ this vulnerability.”
