HTTP/2 Rapid Reset vulnerability was announced on October 10, 2023.
Recently, CDNetworks Security Platform has detected a zero-day vulnerability known as CVE-2023-44487, which exploits the HTTP/2 protocol denial-of-service vulnerability. Malicious attackers exploit this vulnerability to launch large-scale DDoS attacks against HTTP/2 servers.
According to public data, the scale of DDoS attacks launched using this vulnerability has reached a staggering 398 million QPS, increasing the global record of attack peaks by an order of magnitude.
About HTTP/2
HTTP/2 (Hypertext Transfer Protocol 2.0) is the next-generation HTTP protocol on the Internet. HTTP/2 introduces the multiplexing technique, allowing multiple requests and responses to be sent simultaneously over a single connection, thereby improving resource utilization. It also supports features like header compression and server push, reducing network transmission overhead. Furthermore, HTTP/2 supports encrypted transmission, providing enhanced security.
Vulnerability Details
Under traditional HTTP 1.1, browsers have a certain limit on the number of requests per domain that can be made at the same time. If the limit is exceeded, additional requests are blocked. HTTP/2 introduces a new feature called stream multiplexing. Multiple requests, known as streams, consisting of HEADERS and DATA frames can be sent concurrently and out of order on a TCP connection. This is because each stream has an associated ID, which allows the server to identify which stream the frames belong to and how to respond. This feature greatly improves performance.
However, such characteristics of HTTP/2 can also be exploited by attackers, making DDoS attacks more efficient.
Since servers need to consume CPU and memory resources to process each frame and stream, if the concurrent stream feature is abused, it can quickly deplete server resources. To control the maximum resource usage, servers set a limit on the maximum number of concurrent streams. However, the HTTP/2 protocol allows clients to send RST_STREAM frames to unilaterally cancel previous streams. This is used to inform the server to stop responding to the previous requests, preventing bandwidth wastage. This leads to the following phenomenon:
When a client sends both a request and a reset frame (RST_STREAM) for the same request at the same time on a TCP connection, the server will not consider the request as an active state and will not count it in the concurrent stream limit. Clients can quickly open and reset a large number of streams on the same TCP connection, while the server still needs to perform a considerable amount of work for the canceled requests. This ultimately exhausts server resources, leading to denial-of-service.
By leveraging this method, attackers gain an unfair advantage where the cost of the attack is significantly lower than the cost of defense:
- The maximum number of concurrent requests by clients no longer depends on the round-trip time (RTT) but solely relies on available network bandwidth, allowing clients to significantly increase the number of concurrent requests they can send.
- Since the server stops responding to previous requests after receiving RST_STREAM, it reduces the server bandwidth required for attacking.
CDNetworks Countermeasures
CDNetworks has promptly taken steps to address this vulnerability by implementing corresponding mitigations. CDNetworks has configured the maximum number of HTTP requests that can be transferred over a single connection across the entire platform. This helps mitigate the impact of the vulnerability, and the configuration is customizable, allowing customers to adjust the threshold as needed.
As attackers can exploit this vulnerability to launch large-scale DDoS attacks, customers who have not implemented DDoS protection measures are advised to enable the corresponding protection as soon as possible.
CDNetworks has promptly enhanced its Web Application & API Protection capabilities to provide improved DDoS protection, thereby ensuring the security and stability of customers’ businesses. To benefit from comprehensive protection, promptly get in touch with your customer service team to implement CDNetworks’ Web Application and API Protection solution.
CDNetworks’ security platform will continue to analyze and identify the IP addresses initiating HTTP/2 rapid reset attacks in real-time and block malicious IPs at the network layer. Leveraging the powerful processing performance at the network layer, it can effectively handle large-scale attacks. Theoretically, this mechanism enables unlimited protection.
At the same time, we will continue to monitor attacks on customers using our WAAP solution, promptly intervene, and respond to various types of security incidents.
