Unprecedented Use of Zero-day Exploits Propels Quarter 3 Spike in Distributed Denial of Service Attacks
In the digital realm, the third quarter of 2025 has seen an escalation in distributed denial of service (DDoS) attacks, with a notable focus on Israeli media, financial institutions, and Palestinian websites. This surge in cyber activities has also been observed in the gaming and gambling sectors [1].
The HTTP/2 Rapid Reset Vulnerability: A Persistent Threat
At the heart of this escalation lies a novel zero-day vulnerability, known as the HTTP/2 Rapid Reset vulnerability. This class of attack primarily exploits weaknesses in HTTP/2 implementations to disrupt services [2]. Despite HTTP/2’s binary protocol design, which reduces ambiguity and desync issues compared to HTTP/1.1, HTTP/2 implementations still suffer from resource exhaustion flaws [1].
The persistence of these vulnerabilities implies a continuing threat from HTTP/2-based DDoS attacks. Security researchers anticipate more such desync and Rapid Reset attack variants in the future due to the complex nature of HTTP protocols and cautious patching approaches [1][2].
Major Players in DDoS Defense
Major companies like Cloudflare, Google, and AWS have recognized the HTTP/2 Rapid Reset vulnerability as a significant DDoS attack vector and have issued coordinated warnings [3]. Cloudflare, in particular, has been actively studying and mitigating these vulnerabilities, with recent presentations focused on HTTP/2 Rapid Reset results indicating ongoing monitoring and response efforts [5].
Fastly, another key player, has reported high volumes of DDoS attacks and has been able to rapidly deploy mitigation measures [4]. F5, another company, has warned its customers about the potential use of the HTTP/2 Rapid Reset vulnerability for DDoS attacks against Nginx Open Source, Nginx Plus, and other related products [6].
The Impact of DDoS Attacks
The increase in DDoS attacks highlights a shift in global threat groups' DDoS capabilities, making them more powerful and disruptive. In late August, Fastly observed an attack measuring 250 million requests per second lasting about three minutes [1]. Cloudflare reported 89 attacks that exceeded 100 million requests per second, with the largest attack peaking at 201 million requests per second [1].
This surge in DDoS activity has coincided with major ransomware attacks against Las Vegas casino operators in late August and September [1]. In response, the Cybersecurity and Infrastructure Security Agency has urged organizations to patch and make configuration changes to defend against the surge in DDoS activity [7].
Mitigation Strategies
Industry-wide best practices emphasize patching, deploying HTTP/2+ or HTTP/3, and using advanced DDoS protection services to mitigate risk [1][4]. Corporate stakeholders are showing increased interest in understanding the risk calculus of their technology stacks, with a focus on whether they are a potential target.
In conclusion, the HTTP/2 Rapid Reset vulnerability continues to represent a reliable DDoS method that contributes to DDoS attacks. Proactive defenses (including network-level DDoS protections and updated protocol versions) are essential to manage its impact. As the digital landscape continues to evolve, so too will the strategies required to secure it.
[1] https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/ [2] https://www.fastly.com/blog/http2-rapid-reset-attacks [3] https://www.wired.com/story/cloudflare-google-aws-warn-of-http2-rapid-reset-ddos-vulnerability/ [4] https://www.fastly.com/blog/fastly-makes-ddos-attack-mitigation-easier-and-more-effective [5] https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/ [6] https://www.f5.com/about/news-events/newsroom/press-releases/f5-warns-of-new-http2-rapid-reset-vulnerability [7] https://www.us-cert.gov/ncas/alerts/TA21-244A
- The HTTP/2 Rapid Reset vulnerability causes ongoing concerns in the cybersecurity realm, as it enables attackers to launch disruptive DDoS attacks, particularly on HTTP/2 implementations, due to resource exhaustion flaws.
- Acknowledging the threats posed by the HTTP/2 Rapid Reset vulnerability, major players like Cloudflare, Google, AWS, Fastly, and F5 have been actively issuing warnings and deploying mitigation measures to safeguard their customers from DDoS attacks.
- The surging DDoS attacks and the emergence of the HTTP/2 Rapid Reset vulnerability have made threat groups more powerful, as evidenced by incidents such as the ransomware attacks on Las Vegas casino operators. Therefore, organizations must prioritize cybersecurity measures, including prompt patching, switching to advanced protocols like HTTP/2+ or HTTP/3, and employing advanced DDoS protection services to minimize the risks for both data-and-cloud-computing and technology infrastructure.
