Response to HTTP/2 Rapid Reset: SiteGround's Swift Action Against a Novel Vulnerability

In the dynamic world of cybersecurity, it’s not unusual to encounter new challenges. Recently, a novel vulnerability, dubbed the “HTTP/2 Rapid Reset” attack, was discovered. Given that HTTP/2 is considered a relatively new protocol, we see more modern and more clever ways to perform attacks every day. But this latest vulnerability has the potential to disrupt web services at an unprecedented scale. 

Before we dive into the details, let’s break down what this means for website owners.

What is the HTTP/2 Rapid Reset Attack?

HTTP/2 is a protocol that helps your website load faster and handle more visitors simultaneously. HTTP/2 allows clients to request multiple website resources (CSS files, JS files, pictures, etc.) with a single query. However, some clever attackers found a way to exploit this mechanism. They developed a technique to send a request to a server and then immediately cancel it, repeating this process at an extremely high rate. This stream of requests and cancellations can overwhelm a server, causing it to slow down or even crash – a classic Denial of Service (DoS) attack. The attack not only overloads the web server offering HTTP/2, but all backends that are also involved in the handling of website requests – such as PHP executions, application servers, static files delivery, etc.

Imagine a call center and a caller dialing the call center and then hanging up immediately after an operator picks up the call. The operators waste precious time handling the bogus calls and cannot handle legitimate requests. The whole call center comes to a halt and cannot handle actual clients requests. That’s exactly what this new attack was causing on a server scale. 

SiteGround’s Rapid Response

At SiteGround, we always try to be steps ahead in terms of website security. This time makes no exception, and we were among the first web hosting companies to address this vulnerability. As soon as the HTTP/2 Rapid Reset attack was reported, our security engineers jumped into action. The official announcement was posted no more than 24 hours ago – on October 10th, 2023, with Google, Amazon and CloudFlare simultaneously announcing the problem. The web server software that we use for all hosting servers, Nginx, also released a blog post.

Our dedicated team of security experts worked tirelessly to patch all our web servers within an hour of the vulnerability’s disclosure. This rapid response ensured that our customers’ websites remained secure and operational, with minimal disruption. Right now, mere one day later, all SiteGround servers (web hosting servers and CDN) use patched Nginx code which protects all websites using our services.

Bottom Line

The HTTP/2 Rapid Reset attack is a serious threat, but thanks to our rapid response and commitment to security, SiteGround customers can rest easy. We’ve got your back, and we’re always ready to tackle whatever new challenges come our way. At SiteGround, your security is not just a priority – it’s a promise.