The nation’s cyber defense agency is calling on internet delivery service providers to immediately implement patches against an internet-wide vulnerability.
The Cybersecurity and Infrastructure Security Agency urged organizations that provide critical internet delivery services to immediately apply patches and other mitigations after an internet-wide security vulnerability led to the largest distributed denial-of-service attack ever recorded.
Amazon Web Services, Cloudflare and Google provided details in a coordinated announcement on Tuesday about the novel techniques behind the internet-wide vulnerability known as Rapid Reset employed during the August cyberattack.
The companies described the scale of attacks as "astonishing" and noted how the vulnerability leveraged a feature in the HTTP/2 network protocol that sent and canceled an overwhelming amount of requests, which can potentially lead to a denial of service. The attack technique also leverages botnets — vast networks of compromised computers — to amplify its impact.
"Botnets can generate massive request rates, posing a severe threat to targeted web infrastructures," the announcement said. "Customers should update their systems with available patches to strengthen against this vulnerability, ensuring a robust barrier against exploitative attacks."
The details surrounding the major cyberattack came as CISA's flagship public-private collaborative released guidance that urged the open source vendor community to further invest in and develop software security measures for operational technology and industrial control systems.
The guidance included "actionable solutions" that will "further reduce risk to our nation's critical infrastructure," CISA associate director Clayton Romans said in a press release.
The cyberattack — which has not yet been linked to any known global hacking organizations — was eight times larger than the previous record, according to Google, generating more than 398 million requests per second. The attack did not lead to any outages, the companies said.
Editor's note: This article was updated to reflect the announcement of the DDoS attack was coordinated among several companies but not issued jointly.