SECRY – HTTP/2 Rapid Reset vulnerability – On October 10, 2023, Cloudflare, Google, and Amazon Web Services (AWS) revealed that a new zero-day vulnerability in the HTTP/2 protocol had been exploited to launch the largest distributed denial-of-service (DDoS) attacks in history.
HTTP/2 is a newer version of the HTTP protocol that is used to deliver web content more efficiently. It allows multiple requests to be sent over a single TCP connection, which can improve performance and reduce bandwidth usage.
The HTTP/2 Rapid Reset vulnerability exploits the way that HTTP/2 handles multiple requests over a single TCP connection. By sending a series of requests and then quickly resetting them, attackers can create a large number of concurrent streams on the victim’s server. This can overwhelm the server’s resources and cause it to become unavailable.
The Vulnerability Break the Record
The DDoS attacks that exploited the HTTP/2 Rapid Reset vulnerability were unprecedented in size and scale. One of DDOS Attack reported by Cloudflare that peaked at 201 million requests per second (RPS), which is more than seven times the largest attack the company had previously seen. AWS saw over a dozen HTTP/2 Rapid Reset attacks over the course of two days in late August, with the largest peaking at 155 million RPS.
In Google‘s situation, the company detected a DDoS attack that reached a peak of 398 million requests per second (RPS), which was over seven times larger than the biggest attack the internet giant had witnessed before.
The vulnerability is a serious threat to the security and stability of the internet. It is important for organizations to patch their servers and other infrastructure against this vulnerability as soon as possible.
Explanation of the HTTP/2 Rapid Reset vulnerability
HTTP/2 is a multiplexed protocol, which means that it allows multiple requests to be sent over a single TCP connection. This is done by opening multiple streams on the same TCP connection. Each stream is independent of the others, and can be used to send a different request.
The HTTP/2 Rapid Reset vulnerability exploits the way that HTTP/2 handles multiple streams on a single TCP connection. By sending a series of requests and then quickly resetting them, attackers can create a large number of concurrent streams on the victim’s server. This can overwhelm the server’s resources and cause it to become unavailable.
To exploit the vulnerability, attackers typically use a botnet to send a large number of HTTP/2 requests to the victim’s server. Each request is sent on a different stream. The attackers then quickly reset the streams, which forces the victim’s server to close them. The victim’s server then has to open new streams to handle the next batch of requests. This process is repeated until the victim’s server is overwhelmed and becomes unavailable.
The HTTP/2 Rapid Reset vulnerability is a serious threat because it can be used to launch very large and effective DDoS attacks. It is important for organizations to patch their servers and other infrastructure against this vulnerability as soon as possible.
Tracked as CVE, Warning and Mitigations of Vulnerabilities ‘HTTP/2 Rapid Reset Attacks’
The company observed that the record-breaking attack directed at its customers was executed using a botnet consisting of just 20,000 compromised devices. In contrast, the web security firm frequently encounters attacks orchestrated by botnets powered by hundreds of thousands or even millions of devices.
The underlying vulnerability, known as CVE-2023-44487, is believed to affect all web servers that implement HTTP/2 and has been given a ‘high severity‘ rating with a CVSS score of 7.5.
Both Cloudflare and Google have released blog posts providing technical insights into the HTTP/2 Rapid Reset attack, and AWS has also published a blog post detailing its observations of the HTTP/2 Rapid Reset attacks.
The companies have reported that their existing DDoS defenses were largely effective against the HTTP/2 Rapid Reset attack, but they have implemented additional measures to mitigate this attack method. They have also alerted web server software companies, which have begun developing patches to prevent the exploitation of this vulnerability.
Google issued a warning, stating, “Any enterprise or individual providing HTTP-based services on the Internet could be susceptible to this attack. Web applications, services, and APIs hosted on a server or proxy using the HTTP/2 protocol may be at risk. Organizations should ensure that their servers supporting HTTP/2 are not vulnerable or apply vendor patches for CVE-2023-44487 to minimize the impact of this attack vector.”
Here are some tips for mitigating the risk of HTTP/2 Rapid Reset attacks:
- Patch your servers and other infrastructure against the HTTP/2 Rapid Reset vulnerability. This is the most important thing you can do to protect your systems from attack.
- Use a web application firewall (WAF) to filter HTTP/2 traffic. A WAF can block malicious requests and help to protect your servers from being overwhelmed.
- Implement load balancing and other DDoS mitigation techniques. This can help to distribute traffic across multiple servers and make it more difficult for attackers to launch successful DDoS attacks.
By following these tips, you can help to protect your systems from HTTP/2 Rapid Reset attacks and other DDoS attacks.