The Pragmatic Engineer

The Pragmatic Engineer

Share this post

The Pragmatic Engineer
The Pragmatic Engineer
The Pulse #67: Okta Schooled on Its Security Practices
Copy link
Facebook
Email
Notes
More
The Pulse

The Pulse #67: Okta Schooled on Its Security Practices

Also: the largest DDoS attack to date mitigated; AWS quickly reversed the banning of re:Invent community apps; and advice for engineers considering joining a bootstrapped company.

Gergely Orosz's avatar
Gergely Orosz
Oct 26, 2023
∙ Paid
62

Share this post

The Pragmatic Engineer
The Pragmatic Engineer
The Pulse #67: Okta Schooled on Its Security Practices
Copy link
Facebook
Email
Notes
More
2
2
Share

The Pulse is a series covering insights, patterns, and trends within Big Tech and startups. Notice an interesting event or trend? Send me a message.

Today's topics are:

  1. Industry pulse. A roundup of recent events, with commentary. The largest DDoS to date mitigated; a one-year-old AI company worth $500M; a potential L8-L9 slowdown at Google and more.

  2. Okta schooled on security practices – by its own customers. One of Okta’s customers reported a security breach. Okta did nothing. Then, another reported it. Okta still did nothing. 20 days after the first report, Cloudflare – another Okta customer – detected the exact same security breach. How do Okta’s customers have better security processes than Okta, a security-focused company?

  3. AWS’s swiftly unbans re:Invent scheduling apps. Developers maintaining community websites to help schedule talks to attend on re:Invent (AWS’s annual event) received an unfriendly message, telling them they must remove all AWS content. While AWS leadership reversed this decision in a day: one of the scheduling apps had already complied with the demand, and deleted its production database.

  4. Advice for software engineers considering joining a bootstrapped company. Former Lyft software engineer – now the cofounder of the bootstrapped company Friendly Captcha – Guido Zuidhof shares what characteristics he looks for in early hires, and traits that help with thriving in this position.

1. Industry pulse

AWS, Cloudflare, Google, and Microsoft defended against the largest DDoS to date

On 28 August 2023, AWS saw its largest distributed denial of service attack, peaking at 155M req/sec. More attacks followed, hiring different cloud providers throughout the month of September and October. Cloudflare handled 201M req/sec (!), and Google said this attack peaked at 398 million requests/sec (!!). This load was 8x the second-largest recorded DDoS attack in the past, at Google.

What enabled this attack was a zero-day HTTP/2 vulnerability called HTTP/2 Rapid Reset. Here is how Google explains it:

The HTTP/R Rapid Reset attack, visualized. Image source: Google Cloud.
The HTTP/R Rapid Reset attack, visualized. Image source: Google Cloud.

The attack utilized a newly discovered vulnerability with HTTP/2 called Rapid Reset: the attacker sends an RST_STREAM frame immediately after sending a request frame. This cancels the request but leaves the HTTP/2 connection open: which made this attack so efficient.

And this is how requests peaked at 398 million requests per second in just 30 seconds, as visualized by Google:

Within 30 seconds, requests peaked from less than 1M per second to 398M per second. Image source: Google Cloud
Within 30 seconds, requests peaked from less than 1M per second to 398M per second. Image source: Google Cloud

The major infrastructure providers have gotten together to fix this attack vector: and all major cloud providers have since fixed this vulnerability. This attack vector is tracked under the CVE-2023-44487 Common Vulnerabilities and Exposures (CVE) database. Read the summaries on this attack by Google, by AWS, by Cloudflare, and by Azure.   

GitHub Copilot has more than 1M paying customers

It was two weeks ago that GitHub Copilot announced that it passed $100M in annual run rate for revenue. This week, Microsoft CEO Satya Nadella announced on Microsoft’s earnings call:

This post is for paid subscribers

Already a paid subscriber? Sign in
© 2025 Gergely Orosz
Privacy ∙ Terms ∙ Collection notice
Start writingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More