arthead - stock.adobe.com

News Stay informed about the latest enterprise technology news and product updates.

Risk & Repeat: Rapid Reset and the future of DDoS attacks

Listen to this podcast

This podcast episode covers the record-breaking DDoS attack Rapid Reset, why it stands out among other DDoS campaigns and whether it will be widely replicated in the future.

Although Google, AWS and Cloudflare stopped the largest DDoS campaign on record, questions remain about the future of the cyberthreat.

The three tech giants on Tuesday disclosed a novel attack vector that unnamed threat actors utilized to conduct the largest DDoS attack on record. The attack, known as Rapid Reset, exploits a vulnerability in the HTTP/2 protocol, tracked as CVE-2023-44487, and abuses the improved efficiency over previous protocols, like HTTP/1.1.

The U.S. government's NIST said on its webpage dedicated to the vulnerability that the protocol "allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023."

Google and Cloudflare, in particular, broke down the technical details in their respective blog posts. In Cloudflare's post, the hosting provider said, when the attack peaked in August, it tracked nearly three times as many requests per second -- 201 million -- than the previous recordholder. Google tracked even more requests, according to its technical breakdown: 398 million.

"Concerning is the fact that the attacker was able to generate such an attack with a botnet of merely 20,000 machines," Cloudflare's blog read. "There are botnets today that are made up of hundreds of thousands or millions of machines."

Another facet of the attack involves mitigations. Some vendors have patched the HTTP/2 flaws, and an AWS spokesperson told TechTarget Editorial it anticipates widespread patch issuing and adoption to provide broader threat mitigation. However, options on the defender side are otherwise complicated. Google said blocking individual requests would not suffice; instead, defenders would need to close the entire TCP connection as they detected abuse.

On this episode of the Risk & Repeat podcast, TechTarget editors Rob Wright and Alex Culafi discuss the Rapid Reset DDoS attack.

Subscribe to Risk & Repeat on Apple Podcasts.

Alexander Culafi is an information security news writer, journalist and podcaster based in Boston.