Cloudflare, Inc. (NYSE: NET), the foremost connectivity cloud company, has announced its pivotal role in exposing a groundbreaking zero-day vulnerability, dubbed “HTTP/2 Rapid Reset.” This global exploit endows malefactors with the capability to launch attacks of unprecedented magnitude, surpassing anything previously witnessed on the Internet. In response to this novel threat, Cloudflare has engineered specialized technology designed to automatically thwart any assault harnessing Rapid Reset on behalf of its clientele.
Cloudflare has not only effectively neutralized these issues, safeguarding all of its customers, but it has also initiated a responsible disclosure process with two other major infrastructure providers. This cooperative effort aims to extend protection against this vulnerability to a substantial portion of the Internet before disclosing its existence to the public.
Matthew Prince, CEO of Cloudflare, emphasized the company’s commitment to fortifying critical infrastructure, customer assets, and the Internet at large. He stated, “Successfully mitigating this threat for every critical infrastructure organization, customer, and the Internet at-large is the lifeblood of what Cloudflare stands for. We are one of the only companies equipped to identify and address threats of this magnitude, at the speed required to maintain the integrity of the Internet. And while this DDoS attack and vulnerability may be in a league of their own, there will always be other zero-day, evolving threat actor tactics, and new novel attacks and techniques—the continuous preparation and response to these is core to our mission to help build a better Internet.”
Deconstructing the “HTTP/2 Rapid Reset” In late August 2023, Cloudflare uncovered a zero-day vulnerability crafted by an unidentified threat actor. This vulnerability exploits the standard HTTP/2 protocol, a fundamental component of Internet and website functionality. HTTP/2 facilitates the efficient exchange of data between web browsers and websites, allowing for swift retrieval of images and text even in complex web environments. The new attack method involves inundating websites with hundreds of thousands of requests, promptly canceled thereafter. By executing this “request, cancel, request, cancel” pattern on a massive scale, threat actors overwhelm websites, causing services reliant on HTTP/2 to go offline.
The “Rapid Reset” technique equips threat actors with a potent means to launch attacks of unparalleled scale across the Internet. Approximately 60% of all web applications depend on HTTP/2, impacting the speed and quality of user interactions with websites.
Based on Cloudflare’s data, several attacks utilizing Rapid Reset were nearly three times larger than the largest DDoS attack in Internet history. At the peak of this DDoS campaign, Cloudflare handled over 201 million requests per second (Mrps) while successfully mitigating thousands of additional attacks.
How Cloudflare Thwarted the Attack in Collaboration with Industry Peers Threat actors wielding record-breaking attack methods encounter challenges in testing and gauging their effectiveness due to the lack of infrastructure capable of absorbing such assaults. Consequently, they often test their capabilities against providers like Cloudflare to assess their attack potential.
Grant Bourzikas, CSO at Cloudflare, highlighted the significance of combating these large-scale attacks and gaining early insight into emerging threat actor techniques. He stressed the importance of organizations and security teams adopting the “assume breach” mindset, which Cloudflare promotes. This mindset enables proactive response and empowers organizations to contribute to a more secure Internet.
