Headline
HTTP/2 Rapid Reset Zero-Day Vulnerability Exploited to Launch Record DDoS Attacks
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset. The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487,
Server Security / Vulnerability
Amazon Web Services (AWS), Cloudflare, and Google on Tuesday said they took steps to mitigate record-breaking distributed denial-of-service (DDoS) attacks that relied on a novel technique called HTTP/2 Rapid Reset.
The layer 7 attacks were detected in late August 2023, the companies said in a coordinated disclosure. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487, and carries a CVSS score of 7.5 out of a maximum of 10.
While the attacks aimed at Google’s cloud infrastructure peaked at 398 million requests per second (RPS), the ones aimed at AWS and Cloudflare exceeded a volume of 155 million and 201 million requests per second (RPS), respectively.
HTTP/2 Rapid Reset refers to a zero-day flaw in the HTTP/2 protocol that can be exploited to carry out DDoS attacks. A significant feature of HTTP/2 is multiplexing requests over a single TCP connection, which manifests in the form of concurrent streams.
What’s more, a client that wants to abort a request can issue a RST_STREAM frame to halt the data exchange. The Rapid Reset attack leverages this method to send and cancel requests in quick succession, thereby circumventing the server’s concurrent stream maximum and overloading the server without reaching its configured threshold.
“HTTP/2 rapid reset attacks consist of multiple HTTP/2 connections with requests and resets in rapid succession,” Mark Ryland and Tom Scholl at AWS said.
“For example, a series of requests for multiple streams will be transmitted followed up by a reset for each of those requests. The targeted system will parse and act upon each request, generating logs for a request that is then reset, or canceled, by a client.”
This ability to reset streams immediately allows each connection to have an indefinite number of requests in flight, thereby enabling a threat actor to issue a barrage of HTTP/2 requests that can overwhelm a targeted website’s capability to respond to new incoming requests, effectively taking it down.
Put differently, by initiating hundreds of thousands of HTTP/2 streams and rapidly canceling them at scale over an established connection, threat actors can overwhelm websites and knock them offline. Another crucial aspect is that such attacks can be pulled off using a modestly-sized botnet, something to tune of 20,000 machines as observed by Cloudflare.
“This zero-day provided threat actors with a critical new tool in their Swiss Army knife of vulnerabilities to exploit and attack their victims at a magnitude that has never been seen before,” Grant Bourzikas, chief security officer at Cloudflare, said.
HTTP/2 is used by 35.6% of all the websites, according to W3Techs. The percentage of requests that use HTTP/2 is at 77%, per data shared by Web Almanac.
Google Cloud said it has observed multiple variants of the Rapid Reset attacks that while not as effective as the initial version, are more efficient than the standard HTTP/2 DDoS attacks.
“The first variant does not immediately cancel the streams, but instead opens a batch of streams at once, waits for some time, and then cancels those streams and then immediately opens another large batch of new streams,” Juho Snellman and Daniele Lamartino said.
“The second variant does away with canceling streams entirely, and instead optimistically tries to open more concurrent streams than the server advertised.”
F5, in an independent advisory of its own, said the attack impacts the NGINX HTTP/2 module and has urged its customers to update their NGINX configuration to limit the number of concurrent streams to a default of 128 and persist HTTP connections for up to 1000 requests.
“After today, threat actors will be largely aware of the HTTP/2 vulnerability; and it will inevitably become trivial to exploit and kickoff the race between defenders and attacks — first to patch vs. first to exploit,” Bourzikas further said. “Organizations should assume that systems will be tested, and take proactive measures to ensure protection.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Ubuntu Security Notice 6754-1 - It was discovered that nghttp2 incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that nghttp2 incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
Red Hat Security Advisory 2024-0766-03 - Red Hat OpenShift Container Platform release 4.15.0 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-0304-03 - Updated images are now available for Red Hat Advanced Cluster Security 3.74. The updated images includes bug and security fixes.
Red Hat Security Advisory 2023-7704-03 - Red Hat OpenShift Virtualization release 4.14.1 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7481-01 - Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-7288-01 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Issues addressed include bypass, code execution, cross site scripting, and denial of service vulnerabilities.
Red Hat Security Advisory 2023-6233-01 - Red Hat OpenShift Container Platform low-latency extras release 4.12, which provides an update for cnf-tests-container, performance-addon-operator-must-gather-rhel8-container, NUMA-aware secondary scheduler and numaresources-operator, is now available. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6202-01 - Red Hat Advanced Cluster Management for Kubernetes 2.6.8 General Availability release images, which provide security updates and fix bugs. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6105-01 - An update is now available for Red Hat JBoss Core Services. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6085-01 - An update is now available for Red Hat Openshift distributed tracing 2.9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6084-01 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features and bug fixes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-6071-01 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features and bug fixes. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5979-01 - Updated Satellite 6.12 packages that fixes important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-5969-01 - An update for collectd-libpod-stats, etcd, and python-octavia-tests-tempest is now available for Red Hat OpenStack Platform 17.1.1. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5952-01 - An update is now available for Red Hat OpenShift Service Mesh 2.4 for RHEL 8.
Red Hat Security Advisory 2023-5931-01 - Updated Satellite 6.13 packages that fixes Important security bugs and several regular bugs are now available for Red Hat Satellite. Issues addressed include code execution and denial of service vulnerabilities.
Red Hat Security Advisory 2023-5864-01 - An update for grafana is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5838-01 - libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5810-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language.
Red Hat Security Advisory 2023-5805-01 - Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to individual teams, while automation developers retain the freedom to write tasks that leverage existing knowledge without the overhead. Ansible Automation Platform makes it possible for users across an organization to share, vet, and manage automation content by means of a simple, powerful, and agentless language. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5784-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.7.5 serves as a replacement for Red Hat JBoss Web Server 5.7.4. This release includes bug fixes, enhancements and component upgrades, which are documented in the Release Notes, linked to in the References section. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5706-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5522-3 - A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early.
Red Hat Security Advisory 2023-5780-01 - A security update for Camel Extensions for Quarkus 2.13.3 is now available. The purpose of this text-only erratum is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5769-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5767-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5766-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5714-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5713-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2023-5711-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5522-2 - The patch to address CVE-2023-44487 (Rapid Reset Attack) was incomplete and caused a regression when using asynchronous I/O (the default for NIO and NIO2). DATA frames must be included when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated.
Plus, many of the world’s largest cloud providers are warning of a vulnerability that attackers exploited in August to launch the largest distributed denial-of-service attack on record.
Cisco Talos is actively tracking the novel distributed denial-of-service (DDoS) attacks cloud services provider Cloudflare disclosed earlier this week. The techniques described in Cloudflare’s blog post resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future. CVE-2023-44487 CVE-2023-44487, a vulnerability in the
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see ...
Debian Linux Security Advisory 5522-1 - Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine.
By Deeba Ahmed Google, Cloudflare, and AWS Disclosed Digital History’s Largest Ever DDoS Attack- Courtesy HTTP/2 Zero-day. This is a post from HackRead.com Read the original post: Google, Cloudflare, and AWS Disclose Largest DDoS Attack in History
Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two
Microsoft today issued security updates for more than 100 newly-discovered vulnerabilities in its Windows operating system and related software, including four flaws that are already being exploited. In addition, Apple recently released emergency updates to quash a pair of zero-day bugs in iOS.
swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Summary Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.