Google, Amazon, Microsoft and Cloudflare revealed this week that they launched massive, record-breaking distributed denial-of-service attacks against their cloud infrastructure in August and September. DDoS attacks are a classic Internet threat in which attackers try to overwhelm a service with junk traffic, bringing it to a crawl, and hackers are always developing new tactics to make them larger or more effective.

However, the latest attack is particularly noteworthy because the hackers exploited a vulnerability in a basic network protocol. This means that while patching efforts are well underway, patches will need to cover essentially every network server in the world before these attacks can be completely eradicated.

The vulnerability, known as "HTTP/2 Fast Reset," can only be used to deny service, and attackers cannot remotely take over the server or steal data. But attacks don't have to be fancy to cause big problems - availability is critical to accessing any digital service, from critical infrastructure to important information.

Google Cloud's Emil Kiner and Tim April wrote this week: "DDoS attacks can have widespread impacts on victim organizations, including business losses and unavailability of mission-critical applications. The time to recover from a DDoS attack can far exceed the time the attack ends."

Another aspect of the situation is the source of the vulnerability. RapidReset does not exist in a specific piece of software, but in the specification of the HTTP/2 network protocol used to load web pages. HTTP/2, developed by the Internet Engineering Task Force (IETF) and has been around for about eight years, is the faster and more efficient successor to the classic Internet protocol HTTP. HTTP/2 runs better on mobile devices and uses less bandwidth, so it is widely adopted. The IETF is currently developing HTTP/3.

Cloudflare's Lucas Pardue and Julien Desgats wrote this week: Because this attack abuses a potential weakness in the HTTP/2 protocol, we believe that any provider that implements HTTP/2 will be vulnerable. While there appear to be a handful of implementations that are not affected by RapidReset, Pardue and Desgats emphasized that the issue is broadly relevant to "every modern web server."

Unlike a Windows vulnerability patched by Microsoft or a Safari vulnerability patched by Apple, flaws in the protocol are unlikely to be fixed by a central entity because each website implements the standard in its own way. When major cloud services and DDoS defense providers create fixes for their services, they go a long way in protecting everyone who uses their infrastructure. But organizations and individuals who run their own web servers need to develop their own protective measures.

Dan Lorenc, CEO of ChainGuard, a software supply chain security company that has long been involved in open source software, pointed to this situation as an example of how the availability of open source and the pervasiveness of code reuse (rather than always building everything from scratch) is an advantage, because many web servers may have copied the HTTP/2 implementation from elsewhere, rather than reinventing the wheel. If these projects are maintained, they will develop quick reset fixes and roll them out to users.

Full adoption of these patches will still be years away, though, and there will still be some services implementing their own HTTP/2 from scratch that won't have patches available anywhere else.

"It's important to note that when big tech companies find out about this issue, it's being actively exploited," Lorenc said. "It can be used to paralyze services, like operational technology or industrial controls. It's scary."

While the recent spate of DDoS attacks against Google, Cloudflare, Microsoft, and Amazon raised alarms due to their sheer scale, the companies ultimately mitigated the attacks without causing lasting damage. However, by carrying out an attack, hackers revealed the existence of a protocol vulnerability and how to exploit it - a cause-and-effect relationship known in the security community as a "burned zero-day." While the patching process will take time, and some web servers will remain vulnerable for a long time, the Internet is more secure now than it would have been if attackers had not shown their cards by exploiting the vulnerability.

Lorenc said: "It is unusual for a vulnerability like this to appear in a standard, it is a novel vulnerability and a valuable discovery for whoever discovered it first. They could have kept it or maybe even sold it and made a fortune. I've always been curious as to why someone decided to 'burn' this vulnerability."