HTTP/2 Rapid Reset: HTTP/2 Zero-Day Vulnerability allows DDoS Attacks

Summary:

In October 10 2023, it was announced that Google, Amazon Web Services (AWS) and Cloudflare took steps to mitigate a high number of DDoS (Distributed Denial-of-Service) attacks that relied on a new vulnerability called HTTP/2 Rapid Reset. According to them, the attacks were detected in late August 2023. HTTP/2 Rapid Reset is tracked as CVE-2023-44487, and carries a CVSS score of 7.5 out of a maximum of 10.

Vulnerability Details:

CVE Identifier: CVE-2023-44487

Severity: High (CVSS score: 7.5)

Description:

HTTP/2 Rapid Reset is a serious security flaw in layer 7 (application layer) that affects the HTTP/2 protocol, which is widely used by many websites and applications to communicate over the Internet.

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly according to MITRE.

Specifically, the HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending an RST_STREAM frame. The client may assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame. This attack is called Rapid Reset because it relies on the ability for an endpoint to send an RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled but leaves the HTTP/2 connection open.

This vulnerability allows attackers to launch massive DDoS attacks by sending and canceling requests in rapid succession. This leads to servers’ congestion and overload which then results in their inability to respond to legitimate traffic. The DDoS attacks can affect any server or application that supports HTTP/2, unless they have proper protection measures in place.

This vulnerability has been taken advantage of, by threat actors to carry out some of the largest DDoS attacks ever recorded. The attacks have affected huge providers like Google, AWS and Cloudflare. Specifically, according to Google “These attacks were significantly larger than any previously-reported Layer 7 attacks, with the largest attack surpassing 398 million requests per second”

As mentioned before, the above providers have coordinated and taken measures to mitigate the attacks. However, other servers and applications that use HTTP/2 may still be vulnerable.

Defensive Measures:

It is necessary that the companies with servers and applications that use this protocol take measures as soon as possible.

Patches and updates: Apply patches or updates from your web server vendors as soon as possible. Disable HTTP/2 on your web servers if you cannot apply patches or updates. This might affect your web performance and user experience.
HTTP flood protection tools: Use comprehensive HTTP-flood protection tools and enhance DDoS defenses by employing various mitigative strategies.
Rate controls: Implement rate controls on your web servers to close TCP connections with high create/RST_FRAME ratios. The “right” ratio will depend highly on the application and its clients3.