Cloudflare, Google and Amazon Web Services (AWS) announced on Tuesday that they have taken measures to mitigate distributed denial-of-service (DDoS) attacks using a novel technique called HTTP/2 Rapid Reset.
Late in August 2023, the companies detected layer 7 attacks and disclosed them collectively. The vulnerability associated with these attacks is being tracked as CVE-2023-44487, with a CVSS score of 7.5 out of 10.
While the attacks on Google’s cloud infrastructure reached a peak of 398 million requests per second (RPS), the attacks on AWS and Cloudflare exceeded volumes of 155 million and 201 million requests per second (RPS) respectively.
The HTTP/2 Rapid Reset technique exploits a zero-day flaw in the HTTP/2 protocol to carry out DDoS attacks. One of the key features of HTTP/2 is the ability to multiplex requests over a single TCP connection, allowing for concurrent streams.
In this attack, a client can send a RST_STREAM frame to abort a request and halt the data exchange. The Rapid Reset attack utilizes this method to send and cancel requests rapidly, bypassing the server’s concurrent stream maximum and overwhelming it without reaching its configured threshold.
Mark Ryland and Tom Scholl from AWS explained that “HTTP/2 rapid reset attacks consist of multiple HTTP/2 connections with requests and resets in rapid succession. The system being targeted will analyze and respond to every request it receives. It will generate logs for each request and then reset or cancel the request based on the client’s actions.
By exploiting the ability to reset streams immediately, threat actors can generate an unlimited number of requests in flight, overwhelming a targeted website’s ability to respond to new incoming requests and effectively taking it down.
These attacks can be carried out using a moderately-sized botnet, as observed by Cloudflare with approximately 20,000 machines.
Grant Bourzikas, chief security officer at Cloudflare, emphasized that this zero-day vulnerability has provided threat actors with a powerful new tool to exploit victims on an unprecedented scale.
According to W3Techs, HTTP/2 is used by 35.6% of all websites, and approximately 77% of requests use HTTP/2, as reported by Web Almanac.
Google Cloud has observed multiple variants of the Rapid Reset attacks, which, although not as effective as the initial version, are more efficient than standard HTTP/2 DDoS attacks.
F5, in a separate advisory, has stated that the attack impacts the NGINX HTTP/2 module. They have recommended that customers update their NGINX configuration to restrict the maximum number of concurrent streams to 128 by default and maintain HTTP connections for a maximum of 1000 requests.
Grant Bourzikas further advised organizations to assume that their systems will be targeted and take proactive measures to ensure protection, as the vulnerability is likely to be exploited by threat actors.
CyberSec84 | Cybersecurity news. 
Leave a comment