Cloudflare Helps Discover New Online Threat That Led to Largest Attack in Internet History

Cloudflare, Inc. made public that it helped lead the disclosure of a new novel zero-day vulnerability, dubbed “HTTP/2 Rapid Reset.” This global vulnerability gives attackers the ability to generate attacks larger than anything the Internet had seen before. To help mitigate the impact of this new threat for the entire Internet ecosystem, Cloudflare developed technology purpose-built to automatically block any attack leveraging Rapid Reset for its customers.

Cloudflare successfully mitigated these issues and halted potential abuse for all customers, while simultaneously kicking off a responsible disclosure process with two other major infrastructure providers, to extend mitigations for this vulnerability to a large percentage of the Internet prior to disclosing its existence to the general public.

“Successfully mitigating this threat for every critical infrastructure organization, customer, and the Internet at-large is the lifeblood of what Cloudflare stands for. We are one of the only companies equipped to identify and address threats of this magnitude, at the speed required to maintain the integrity of the Internet,” said Matthew Prince, CEO at Cloudflare. “And while this DDoS attack and vulnerability may be in a league of their own, there will always be other zero-day, evolving threat actor tactics, and new novel attacks and techniques-the continuous preparation and response to these is core to our mission to help build a better Internet.”

Deconstructing HTTP/2 Rapid Reset

In late August 2023, Cloudflare discovered a zero-day vulnerability, developed by an unknown threat actor. The vulnerability exploits the standard HTTP/2 protocol-a fundamental piece to how the Internet and most websites operate. HTTP/2 is responsible for how browsers interact with a website, allowing them to ‘request’ to view things like images and text quickly, and all at once no matter how complex the website. This new attack works by making hundreds of thousands of ‘requests’ and immediately canceling them. By automating this “request, cancel, request, cancel” pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline.

“Rapid Reset” provides threat actors with a powerful new way to attack victims across the Internet at an order of magnitude larger than anything the Internet has seen before. HTTP/2 is the basis for about 60% of all web applications, and determines the speed and quality of how users see and interact with websites.

Based on Cloudflare’s data, several attacks leveraging Rapid Reset were nearly three times larger than the largest DDoS attack in Internet history. At the peak of this DDoS campaign, Cloudflare recorded and handled over 201 million requests per second (Mrps), as well as the mitigation of thousands of additional attacks following.

How Cloudflare thwarted the attack with Industry peers

Threat actors who possess record-shattering attack methods have an extremely difficult time testing and understanding their effectiveness, due to the lack of infrastructure to absorb the attacks. For this reason, they often test against providers like Cloudflare to better understand how their attacks will perform.

“While large-scale attacks such as those leveraging vulnerabilities like Rapid Reset can be complex and difficult to mitigate, they provide us unprecedented visibility into new threat actor techniques early in development,” said Grant Bourzikas, CSO at Cloudflare. “While there is no such thing as ‘perfect disclosure,’ with downtime and bumps along the way, thwarting attacks and responding to breaking incidents requires organizations and security teams to live by the ‘assume breach’ mindset the Cloudflare team fosters. Ultimately, this allows us to be a proud partner that helps make the Internet secure.”