HTTP/2, the successor of the HTTP/1.1 protocol, was introduced to address performance limitations in the world of web traffic. While it brought several advancements, like multiplexed streams and server push, it has not been immune to security vulnerabilities. In this post, we’ll dive deep into the ‘Rapid Reset’ Zero-Day exploit, a critical vulnerability affecting HTTP/2 servers.
A zero-day exploit is a vulnerability that’s unknown to the software vendor and, therefore, lacks an official patch. The ‘Rapid Reset’ exploit refers to a flaw in the HTTP/2 protocol, where malicious actors can trigger the premature closure of multiple streams, causing disruptions or outright denial of service conditions for legitimate users.
The underlying vulnerability, which is believed to impact every web server implementing HTTP/2, is tracked as CVE-2023-44487 and it has been assigned a ‘high severity’ rating with a CVSS score of 7.5.
The Distributed Denial of Service (DDoS) attack is a tactic employed by attackers to overwhelm a target server or service by flooding it with traffic. The ‘Rapid Reset’ exploit amplifies the attacker’s capability in the following way:
Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history.
Cloudflare started analyzing the attack method and the underlying vulnerability in late August. The company says an unknown threat actor has exploited a weakness in the widely used HTTP/2 protocol to launch “enormous, hyper-volumetric” DDoS attacks which peaked just above 201 million requests per second. This was nearly 3x bigger than previous biggest attack on record.
In Google’s case, the company observed a DDoS attack that peaked at 398 million RPS, more than seven times the largest attack the internet giant had previously seen .
Amazon saw over a dozen HTTP/2 Rapid Reset attacks over the course of two days in late August, with the largest peaking at 155 million RPS.
Consider a simple analogy. Imagine a library where people come and go, borrowing and returning books. Now, what if a group repeatedly borrows books and returns them immediately, causing chaos and preventing genuine readers from accessing the library efficiently?
The exploit works in a similar way:
Addressing the ‘Rapid Reset’ exploit requires a two-fold approach:
It is first recommended that organizations apply configuration changes and mitigations through infrastructure providers and CDNs where necessary to reduce the exposure to this novel DDoS technique.
In conclusion, while HTTP/2 brought about significant improvements in web traffic performance, it’s essential to be aware of its vulnerabilities. The ‘Rapid Reset’ Zero-Day exploit underscores the need for constant vigilance in the ever-evolving landscape of web security. Always stay updated and be proactive in implementing security best practices.