In the ever-evolving landscape of cyber threats, security teams face a new challenge with the emergence of the HTTP/2 Rapid Reset vulnerability, tracked as CVE-2023-44487. This vulnerability is currently being exploited by malicious actors, leading to the largest Distributed Denial of Service (DDoS) attacks in history. In this article, we will delve into the details of this threat, the significant impact it has had on tech giants like Google, AWS, and Cloudflare, and the measures that organizations should take to protect their networks.
The HTTP/2 Rapid Reset Attack
The HTTP/2 Rapid Reset attack takes advantage of a previously unknown zero-day vulnerability in the HTTP/2 network protocol. This vulnerability allows attackers to initiate a DDoS attack by leveraging the stream cancellation feature within HTTP/2. The attacker sends a request and promptly cancels it, automating this process across multiple bots to generate a massive volume of requests.
The scale of the HTTP/2 Rapid Reset attacks has taken the cybersecurity world by surprise. Amazon reported mitigating over a dozen attacks within just two days in late August, with the most potent attack peaking at a staggering 155 million requests per second. Cloudflare faced an even more formidable challenge, with a peak of 201 million requests per second and over 1,100 other attacks exceeding 10 million requests per second. Google saw the biggest one however, reaching an astonishing peak of 398 million requests per second using this novel technique. To put this into perspective, Google noted that this two-minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September 2023.
Despite the attack being stopped at their network balancing systems, generating no outages, Google took the lead in coordinating a cross-industry response with other cloud providers and software maintainers who implement the HTTP/2 protocol stack. This collaborative effort enabled real-time intelligence sharing and the development of mitigation techniques. The collective response paved the way for a coordinated, responsible disclosure of the new attack methodology and the identification of potential vulnerabilities in common open-source and commercial proxies, application servers, and load balancers.
During the coordinated disclosure process, they reserved the CVE-2023-44487 to track fixes to the various HTTP/2 implementations.
Mitigating the HTTP/2 DDoS Attack Threat
Organizations and security teams must take immediate action to mitigate the risk posed by the HTTP/2 Rapid Reset vulnerability. The following steps are essential to safeguard your network:
- Apply Vendor Patches: Vendor patches for the CVE-2023-44487 vulnerability are now available. It is crucial to deploy these patches as soon as possible to address the vulnerability.
- Keep Automation Up-to-Date: Ensure that all automation tools, such as Terraform builds and images, are fully patched. This helps prevent the accidental deployment of older, vulnerable versions of web servers into production environments.
- Exercise Caution with Disabling HTTP/2: While disabling HTTP/2 is an option to mitigate the risk, it may not be the ideal solution for organizations that rely on web performance. Many modern web applications and services require the performance benefits of HTTP/2 or even HTTP/3. Security teams should consider this as a last resort and explore other mitigation techniques that allow them to maintain the advantages of a modern web protocol.
- Make use of a CDN.
In conclusion, the HTTP/2 Rapid Reset vulnerability and the resulting DDoS attacks present a significant threat to organizations that rely on the HTTP/2 protocol. By promptly applying patches, keeping automation up-to-date, and exploring alternative mitigation strategies, organizations can protect themselves from this new and highly impactful cyber threat. The collaboration between tech giants like Google, AWS, and Cloudflare in responding to this attack serves as a testament to the importance of unity in addressing complex and widespread security challenges.