Cloudflare protects customers against new record-breaking DDoS attack
HTTP/2 Rapid Reset is a flaw in the HTTP/2 protocol that can be exploited to carry out DDoS attacks.
Because 62% of the Internet traffic we see uses HTTP/2, this is a high severity vulnerability. It has been exploited to create the largest DDoS attack we have ever seen.
If you are using any of these Cloudflare products, you are already protected: CDN, SSL/TLS encryption, HTTP DDoS, WAF, Bot Management, Rate Limiting, API Gateway, or Page Shield.
If you're not using one of these products, Cloudflare can protect you today.
Learn the latest news on the DDoS attack campaign from Cloudflare CSO, Grant Bourzikas, and Cloudflare Field CTO, John Engates
Read our press release on the HTTP/2 Rapid Reset attack campaign and Cloudflare’s response
Tune in to a discussion with our technical experts covering the specifics of HTTP/2 Rapid Reset and how you can defend against it
Get the full details of the vulnerability to understand how it impacts your applications and systems
Organizations proxying their HTTP traffic through Cloudflare are automatically protected. The vast majority of organizations using Cloudflare fall into this category.
You are protected if you have deployed any of these Cloudflare services:
If you have HTTP assets or applications that are not behind one of these products, contact Cloudflare or your DDoS protection vendor to learn more.
With industry peers, Cloudflare helped discover the underlying flaw in late August, 2023. We worked with governments and industry groups to responsibly disclose the vulnerability and attack campaign.
Cloudflare DDoS Protection helps every organization with applications behind Cloudflare, including free customers. Less than 0.0001% of requests served during the attack campaign resulted in errors.
Cloudflare patched our implementation of HTTP/2 to reduce the impact of the exploit on our customers’ applications.