HTTP/2 Zero-Day Vulnerability Results in Record-Breaking DDoS Attacks and Is Here to Stay

Massive distributed denial of service (DDoS) attacks impacted Google, Amazon, Microsoft, and Cloudflare in August and September, which exploited a vulnerability in the HTTP/2 web protocol. While efforts are underway to patch the vulnerability, it needs to be applied to every web server globally.
Even though this flaw, called “HTTP/2 Rapid Reset,” doesn’t enable hackers to take over servers or steal data, it allows for DDoS attacks, that can disrupt businesses and critical applications, causing prolonged recovery times.

The vulnerability exists in the HTTP/2 specification, a fundamental part of webpage loading. HTTP/2, developed by the Internet Engineering Task Force (IETF), has been widely adopted for its speed and efficiency, making the problem relevant to most web servers.

Unlike typical software bugs, protocol flaws require each website to implement its fixes. Major cloud services and DDoS-defense providers are developing fixes, but organizations and individuals running their own servers must secure their systems.

Open source software and code reuse play a role in addressing this issue, but full patch adoption will take time, and some servers may remain vulnerable.