HTTP/2, the successor of the HTTP/1.1 protocol, was introduced to address performance limitations in the world of web traffic. While it brought several advancements, like multiplexed streams and server push, it has not been immune to security vulnerabilities. In this post, we’ll dive deep into the ‘Rapid Reset’ Zero-Day exploit, a critical vulnerability affecting HTTP/2 servers.

‍

What is the ‘Rapid Reset’ Zero-Day Exploit?

‍

A zero-day exploit is a vulnerability that’s unknown to the software vendor and, therefore, lacks an official patch. The ‘Rapid Reset’ exploit refers to a flaw in the HTTP/2 protocol, where malicious actors can trigger the premature closure of multiple streams, causing disruptions or outright denial of service conditions for legitimate users.

The underlying vulnerability, which is believed to impact every web server implementing HTTP/2, is tracked as CVE-2023-44487 and it has been assigned a ‘high severity’ rating with a CVSS score of 7.5.

‍

‍

Launching DDoS Attacks Using the ‘Rapid Reset’ Exploit

‍

The Distributed Denial of Service (DDoS) attack is a tactic employed by attackers to overwhelm a target server or service by flooding it with traffic. The ‘Rapid Reset’ exploit amplifies the attacker’s capability in the following way:

1. Multiplexed Streams Abuse: In HTTP/2, multiple requests can be sent over a single TCP connection, known as streams. The exploit targets the stream management mechanism, forcing the server to constantly open and close streams unexpectedly.
2. Resource Exhaustion: The premature and unexpected reset of streams consumes resources, from memory to CPU cycles. Repeatedly triggering this in a short span can overwhelm even well-resourced servers.
3. Network Amplification: An attacker can use a small number of systems to send HTTP/2 requests with rapid reset commands. The server, thinking it’s handling legitimate traffic, tries to keep up, leading to an unintentional self-inflicted DDoS scenario.

‍

‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History

‍

Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history.

‍

‍

Cloudflare started analyzing the attack method and the underlying vulnerability in late August. The company says an unknown threat actor has exploited a weakness in the widely used HTTP/2 protocol to launch “enormous, hyper-volumetric” DDoS attacks which peaked just above 201 million requests per second. This was nearly 3x bigger than previous biggest attack on record.

In Google’s case, the company observed a DDoS attack that peaked at 398 million RPS, more than seven times the largest attack the internet giant had previously seen .

Amazon saw over a dozen HTTP/2 Rapid Reset attacks over the course of two days in late August, with the largest peaking at 155 million RPS.

‍

How the Exploit Works: An Example

‍

Consider a simple analogy. Imagine a library where people come and go, borrowing and returning books. Now, what if a group repeatedly borrows books and returns them immediately, causing chaos and preventing genuine readers from accessing the library efficiently?

The exploit works in a similar way:

1. Attacker establishes an HTTP/2 connection to the target server.
2. They initiate multiple streams within this connection.
3. Before the server can respond adequately to each stream, the attacker sends a rapid succession of RST_STREAM frames, forcing the server to reset those streams.
4. The server, trying to handle these unexpected resets, consumes significant resources, slowing down or even crashing.

‍

Resolution

‍

Addressing the ‘Rapid Reset’ exploit requires a two-fold approach:

1. Protocol-level Fixes: Enhancements in the HTTP/2 specification can introduce rate limits or checks against rapid reset patterns. This will ensure that the server isn’t caught off-guard by unexpected stream resets.
2. Server-side Mitigations: Server administrators can deploy monitoring tools to detect abnormal patterns in stream resets. By setting thresholds, servers can temporarily block or rate-limit sources showing suspicious behavior. Additionally, keeping server software updated is crucial as vendors might release patches once they’re aware of such vulnerabilities.

‍

Mitigation via infrastructure provider

‍

It is first recommended that organizations apply configuration changes and mitigations through infrastructure providers and CDNs where necessary to reduce the exposure to this novel DDoS technique.

• Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack
• Google: How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack
• AWS: CVE-2023-44487 - HTTP/2 Rapid Reset Attack
• NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products
• Azure: Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

‍

In conclusion, while HTTP/2 brought about significant improvements in web traffic performance, it’s essential to be aware of its vulnerabilities. The ‘Rapid Reset’ Zero-Day exploit underscores the need for constant vigilance in the ever-evolving landscape of web security. Always stay updated and be proactive in implementing security best practices.

‍