Amazon Web Services (AWS), Cloudflare, and Google announced on Tuesday that they took actions to mitigate unprecedented distributed denial-of-service (DDoS) attacks using a novel technique called HTTP/2 Rapid Reset.
These layer 7 attacks were first identified in late August 2023, according to a coordinated disclosure by the companies. The collective vulnerability to this attack is cataloged as CVE-2023-44487 and has been assigned a CVSS score of 7.5 out of 10.
The DDoS attacks targeting Google’s cloud infrastructure peaked at 398 million requests per second (RPS), while those directed at AWS and Cloudflare reached over 155 million and 201 million RPS, respectively.
HTTP/2 Rapid Reset exploits a zero-day vulnerability in the HTTP/2 protocol to execute DDoS attacks. HTTP/2’s multiplexing capability, which allows multiple requests over a single TCP connection, is central to this flaw, manifesting through concurrent streams.
Moreover, a client wishing to abort a request can send a RST_STREAM frame to stop data exchange.
The Rapid Reset attack manipulates this mechanism to rapidly send and cancel requests, bypassing the server’s limit on concurrent streams and overwhelming it without triggering its configured thresholds.
“HTTP/2 rapid reset attacks involve multiple HTTP/2 connections with rapid succession requests and resets,” explained Mark Ryland and Tom Scholl from AWS.
“For instance, a sequence of requests across multiple streams is transmitted, followed by a reset for each request. The targeted system processes each request and logs it, only for the request to be immediately reset or canceled by the client.”
This ability to reset streams instantly enables each connection to maintain an indefinite number of active requests, allowing attackers to flood a targeted website with HTTP/2 requests, effectively crippling its capacity to handle new incoming requests and taking it offline.
In simpler terms, attackers can initiate hundreds of thousands of HTTP/2 streams and quickly cancel them at scale within an established connection, overwhelming websites and forcing them offline.
An important aspect of these attacks is that they can be executed using a relatively small botnet, as observed by Cloudflare with around 20,000 machines.
“This zero-day provided threat actors with a powerful new tool in their arsenal, allowing them to exploit vulnerabilities and attack their targets at an unprecedented scale,” stated Grant Bourzikas, Chief Security Officer at Cloudflare.
According to W3Techs, HTTP/2 is utilized by 35.6% of all websites, and Web Almanac data shows that 77% of requests use HTTP/2.
Google Cloud has reported observing multiple variants of Rapid Reset attacks that, while less effective than the original version, are still more efficient than standard HTTP/2 DDoS attacks.
“The first variant delays canceling the streams, instead opening a batch of streams, waiting for a while, and then canceling them before opening another large batch of streams,” explained Juho Snellman and Daniele Lamartino.
“The second variant eliminates canceling streams altogether, instead optimistically trying to open more concurrent streams than the server has advertised.”
F5, in a separate advisory, noted that the attack affects the NGINX HTTP/2 module and advised customers to update their NGINX configurations to limit the number of concurrent streams to a default of 128 and to persist HTTP connections for up to 1,000 requests.
“Now that the HTTP/2 vulnerability is widely known, it will soon become trivial to exploit, setting off a race between defenders and attackers — first to patch versus first to exploit,” Bourzikas added.
“Organizations should assume their systems will be tested and take proactive steps to ensure they are protected.”
