Table of Contents
Major Tech Companies Respond to HTTP/2 Zero-Day Exploited for DDoS Attacks
In response to the recent exploitation of the HTTP/2 zero-day vulnerability for launching DDoS attacks, several major tech companies have been proactively taking countermeasures. These include clear-cut internet giants like Google, Cloudflare, and Amazon Web Services (AWS). They have implemented additional mitigation strategies in an effort to protect their infrastructure and service reliability from sporadic server downtimes due to Distributed Denial of Service attacks.
Introduction of New Attack Method
Adding to the echoing concerns, hackers have recently started using a new method of attack. This involves the technique of 'stream cancellation' in HTTP/2 to intentionally bring down servers. The tactics involve sending numerous requests to an HTTP/2 window, thus clogging the stream and eventually succeeding in bringing down the server.
Web Server Software Companies Begin Working on Patches
In response to these cyber threats, several web server software companies have gotten to work. They are in the process of developing patches to rectify the HTTP/2 zero-day vulnerability. These patches are expected to prevent this new methodology of exploiting server weaknesses to pull them down through excessive requests, thereby responding to the current challenge of DDoS attacks.
Advisory Publications and Alerts on HTTP/2 Rapid Reset Vulnerability
In response to the rising threat from HTTP/2 zero-day exploitation, numerous entities responsible for cybersecurity are providing advisories and alerts. These are intended to raise awareness and offer proactive measures in the face of the increasingly prevalent Distributed Denial of Service (DDoS) attacks.
US Cybersecurity Agency CISA Releases Alert on HTTP/2 Rapid Reset Risk
One such body taking substantial steps is the US Cybersecurity and Infrastructure Security Agency (CISA). They have made publicized warnings about the potent threat that HTTP/2 Rapid Reset vulnerability poses. CISA's release is aimed at urging organizations to step up their security measures regarding the issue.
Microsoft Advises Users to Update Web Servers and Disable HTTP/2 Protocol
On similar lines, Microsoft, one of the leading tech companies, has also entered the arena with its advisories. They have recommended users to promptly install all available updates for their web servers to stay protected. In addition to this, they are advising the temporary disabling of the HTTP/2 protocol as an added measure, until further notice.
NGINX Warnings on Configuration Update Requirement Due to Vulnerability
NGINX, the popular web server software provider, hasn't turned a blind eye to the situation either. They are amongst other bodies that have raised serious concerns regarding the DDoS threat. Subsequently, they've warned their user base about the urgent need to update their system's configuration. This, as per NGINX, is pivotal to stem the potential for a Denial of Service (DoS) attack leveraged by the HTTP/2 vulnerability.
Open Source Security Foundation and Netty’s Response
The response to the HTTP/2 zero-day exploitation isn't limited to private tech companies and cybersecurity agencies. Open Source institutions and software developers have also taken necessary action steps to mitigate the threats posed by this vulnerability.
Open Source Security Foundation Emphasizes Rapid Response Requirement
The Open Source Security Foundation, a collaborative foundation focused on improving the security of open-source software, has underlined the immediate need for tackling the underlying vulnerability. Recognizing the potential severity of DDoS attacks that could exploit this loophole, the Foundation has urged all stakeholders to act swiftly in devising countermeasures against it.
Netty Releases New Version to Address HTTP/2 DDoS Attack Vector
On the front lines of the software developing community's response, Netty deserves a notable mention. Netty, an open-source Java-based network application framework, has released a new version labeled 4.1.100.Final. This update is primarily aimed at fixing the DDoS attack vector that was recently revealed in the HTTP/2 protocol, illustrating a clear and immediate response to a prominent cybersecurity issue.
Apache Tomcat, Swift, and Linux Distributions Respond
The issue of HTTP/2 zero-day exploitation has prompted diverse organizations, from web server developers to open-source operating system distributors, to fortify their defenses and caution their users. Demonstrating proactive commitment to cybersecurity, companies like Apache Tomcat, Swift, and various Linux distributions have expressed their responses to the current threat landscape.
Apache Tomcat Confirms Vulnerability and Releases Fix
Apache Tomcat, a widely-used open-source Java Servlet Container developed by the Apache Software Foundation, has acknowledged the vulnerability existing within their HTTP/2 implementation. As part of their response, they have released a fix in the more recent Apache Tomcat 10.1.14 version. Users are hence advised to update their software to this version to secure their servers.
Swift Recommends Updating to Version 1.28.0
Similarly, Swift - the powerful and intuitive programming language by Apple, has issued guidance to its users. They recommend those running a publicly accessible HTTP/2 server to update to version 1.28.0. Swift's advice is clearly aimed at addressing the DDoS threat by ensuring users operate with an up-to-date, more secure version of the software.
Linux Distributions Issue Advisory for Disclosed Vulnerability
Not falling behind, Linux distributions such as Red Hat, Ubuntu, and Debian have also published advisories concerning the disclosed vulnerability. Recognizing the potential for exploitation, these distributions have initiated prompt action to give their users clear instructions on how to protect themselves from becoming victims of a DDoS attack driven by the HTTP/2 zero-day exploit.
