In late August 2023 [8], Cloudflare discovered a new DDoS technique known as the “HTTP/2 Rapid Reset” attack. This attack exploits a zero-day vulnerability in the standard HTTP/2 protocol [4], allowing threat actors to overwhelm websites by abusing the stream cancellation feature. This vulnerability affects about 60% of all web applications and has already resulted in record-breaking DDoS attacks.
Description
The HTTP/2 Rapid Reset attack [6] [7] [9], also known as CVE-2023-44487 [4], has been successfully exploited, leading to massive DDoS attacks on web servers. Cloudflare defended against an attack that reached a peak of 201 million requests per second [6], while other major companies like Amazon Web Services, Cloudflare [1] [2] [3] [4] [5] [6] [8] [10], and Google also experienced attacks reaching up to 155 million and 201 million requests per second [4]. Surprisingly, these attacks were carried out using a relatively small botnet of around 20,000 machines [4].
Despite the initial impact on customer traffic [1], Cloudflare has refined its mitigation methods to effectively stop the attack without disrupting its systems [1]. They have identified and mitigated over a thousand of these attacks [4], some of which exceeded 10 million requests per second. However, as threat actors continue to utilize larger botnets, it is expected that these attacks will continue to set new records [4].
Efforts have been made to address the widespread vulnerability affecting any vendor that has implemented HTTP/2. Software vendors like Apple [5], Microsoft [5], and F5 have issued patches [5], and web server vendors and open-source projects have provided guidance and patches to minimize the attack surface. AWS has also implemented additional mitigations to address the issue. Although there is currently no software patch available, server software companies are actively working on developing patches [10].
Cloudflare has implemented a system called ‘IP Jail’ to mitigate these attacks by temporarily blocking offending IPs from using HTTP/2 [4]. Amazon has also successfully mitigated dozens of these attacks [4]. Clients can counter these attacks by using all available HTTP-flood protection tools and strengthening their DDoS resilience with multi-layered mitigations [4].
Conclusion
The HTTP/2 Rapid Reset attack represents a significant evolution in the DDoS landscape [3], highlighting the need for vigilance in maintaining security measures. It is crucial for organizations to patch their HTTP/2 instances and prioritize DDoS protection to prevent disruptions and damage to businesses. As the vulnerability continues to be exploited and threat actors become more sophisticated, it is essential to stay proactive in addressing these attacks and ensuring the security of web applications.
References
[1] https://www.esecurityplanet.com/threats/rapid-reset-ddos-attack-http2-servers/
[2] https://duo.com/decipher/http-2-rapid-reset-flaw-affects-all-major-web-servers
[3] https://www.darkreading.com/cloud/internet-wide-zero-day-bug-fuels-largest-ever-ddos-event
[4] https://vulnera.com/newswire/record-breaking-ddos-attacks-exploit-new-http-2-rapid-reset-zero-day-vulnerability/
[5] https://www.techtarget.com/searchSecurity/news/366554941/Rapid-Reset-DDoS-attacks-exploiting-HTTP-2-vulnerability
[6] https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
[7] https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
[8] https://www.helpnetsecurity.com/2023/10/10/cve-2023-44487-http-2-rapid-reset/
[9] https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
[10] https://www.searchenginejournal.com/http-2-rapid-reset-vulnerability/498178/
