CISA (Cybersecurity and Infrastructure Security Agency) urged organizations that provide critical internet delivery services to immediately apply patches and other mitigations after an internet-wide security vulnerability led to the largest DDoS attack ever recorded. In a groundbreaking joint announcement, Amazon Web Services, Cloudflare, and Google have pulled back the curtains on a new vulnerability known as “HTTP/2 Rapid Reset.”
Describing the scale of these attacks as nothing short of “astonishing,” the companies shed light on the vulnerability’s exploitation of a specific feature within the HTTP/2 network protocol. This feature allowed attackers to overload web servers with a barrage of incoming requests, only to abruptly cancel them. Such an onslaught of requests can potentially result in online services downtime.
What is the HTTP/2 Rapid Reset?
The attackers are exploiting the high-severity vulnerability, tracked as CVE-2023-44487, to launch attacks that reached as high as 398 million requests per second. The vulnerability isn’t specific to any software but exists within the HTTP/2 network protocol specification. HTTP/2 was developed in 2015, and replaced the original hypertext transfer protocol, to enable more efficient data streams. However, some experts claim that HTTP/2’s faster streams open it up to more large-scale attacks.
In light of the recently disclosed data concerning the new DDoS attack vector, F5 has issued a pressing call to action, urging all users of its Nginx open-source project to implement essential upgrades to their configuration files. This action is imperative, as the vulnerability in question can be exploited to launch devastating DDoS attacks against not only Nginx Open Source but also associated products.
In the wake of the significant HTTP/2 Rapid Reset DDoS attack, CISA has taken center stage with a critical call to action. CISA issued a set of guidelines urging the open-source vendor community to bolster their investments in the development of software security measures, particularly for operational technology and industrial control systems. The guidelines include actionable solutions designed to significantly decrease the risks to critical infrastructure. Among those recommendations is the need to continuously test DDoS protection and its protected environments for vulnerabilities and misconfigurations.
MazeBolt’s researchers team also chimed in to provide the following information: The “CVE-2023-44487 HTTP/2 Rapid Reset Attack” exploits the HTTP/2 reset stream (RST_STREAM) feature to cause a disruption to online web services. While HTTP/2 allows multiple HTTP streams to be established with the targeted server through one single TCP connection, it also allows users to cancel HTTP streams and leave the TCP connection open for other HTTP streams.
Since each HTTP stream consumes server resources (CPU, RAM), an attacker can leverage it to open multiple HTTP streams using the same TCP connection and then reset several streams at once and request new ones, therefore not reaching the configured number of limited streams on the web server, and keeping the CPU busy with both in tearing down old streams and opening up new streams, resulting in an overload on the entire web server resources, making it unavailable for legitimate users.
We are more likely to see such attacks affecting web services when attackers cancel a huge number of HTTP requests (streams) over one TCP connection before new streams are received. In such a scenario, the targeted server’s concurrent stream number does not reach its limit, and the server gets overloaded.
Typical deployments use a load balancer or a proxy server upstream of the targeted server, letting the proxy server handle these requests. Such deployments will eventually experience downtime as the proxy servers get overloaded. A more recommended way to withstand such a devastating attack would be to use a buffering method that allows security systems to store new streams in a system queue. When the attacker cancels a vast number of streams (that issues RST_STRAM frame), these streams are deleted and removed from the queue, not affecting the target server resources.
What more can you do?
Remember that by keeping your DDoS protection properly configured and performing continuous testing and validation, you will be able to keep your online services protected against DDoS attacks, no matter what attack vector is used. The CVE-2023-44487 HTTP/2 Rapid Reset Attack is yet another reminder that the DDoS threat keeps evolving, as threat actors prove to be persistent adversaries. Securing your environment and being proactive is the key to DDoS resilience.