In a coordinated disclosure on a recent Tuesday, Amazon Web Services (AWS), Cloudflare, and Google unveiled the discovery of a new zero-day vulnerability in the HTTP/2 protocol, known as HTTP/2 Rapid Reset. This vulnerability has been exploited to execute distributed denial-of-service (DDoS) attacks of unprecedented scale. The layer 7 attacks were first detected in late August 2023 and reached an alarming rate of requests per second (rps) at each of these major service providers.

The Scale of Attacks

To put the scale into perspective, Amazon faced attacks reaching 155 million rps, Cloudflare at 201 million rps, and Google saw a record-breaking 398 million rps. This alarming rate of requests has been associated with a specific risk scoring system. According to the Common Vulnerabilities and Exposures Identifier (CVE-ID), the vulnerability is recognized as CVE-2023-44487 with a Common Vulnerability Scoring System (CVSSv3) score of 7.5.

Technical Insights into the Vulnerability

The HTTP/2 protocol offers the ability to multiplex multiple requests over a single TCP connection. The HTTP/2 Rapid Reset exploit leverages this feature by sending rapid successive requests and resets over HTTP/2 connections. The exploit consists of sending a series of requests for multiple streams followed immediately by a reset command for each request. This tactic overwhelms the targeted system’s ability to respond and can potentially take the website offline.

Exploitation Capabilities

Interestingly, the execution of these attacks does not require a massive botnet. Cloudflare observed that a botnet of approximately 20,000 machines is sufficient to launch such an attack. The HTTP/2 protocol is currently used by about 35.6% of all websites, making this a significant concern for a broad range of online services.

Mitigation Strategies by Service Providers

Service providers have responded with immediate countermeasures. Cloudflare, for example, found that HTTP/2 proxies or load balancers are notably susceptible to rapid reset requests. They implemented a mitigation system called ‘IP Jail’ across their entire infrastructure to isolate and restrict offending IP addresses. Amazon has also reported successful mitigation but has not disclosed the specifics of their approach.

Recommendations for Counteraction

  1. Utilization of HTTP-Flood Protection Tools: It is highly recommended for clients to employ all available HTTP-flood protection mechanisms.
  2. Implementation of Rate Controls: Software developers should enforce rate controls in their HTTP/2-based software.
  3. NGINX Configuration Update: F5 suggests that NGINX users should update their configuration settings to limit the number of concurrent streams and persist HTTP connections for a specified number of requests.

Final Thoughts

While service providers have taken steps to mitigate the impact of HTTP/2 Rapid Reset attacks, the responsibility also lies with end-users and developers to strengthen their defenses. Given the scale and efficiency of these attacks, a multi-faceted approach involving various mitigation tools and updated configurations is essential. The recent attacks serve as a stark reminder of the constant evolution of cybersecurity threats and underline the importance of proactive defense mechanisms.

Also Read: