Researchers disclosed a new zero-day DDoS attack technique, named ‘HTTP/2 Rapid Reset’, that was exploited since August in record-breaking attacks.
Google announced to have observed a new series of massive DDoS attacks that reached a peak of 398 million requests per second (rps). The attacks relied on the novel HTTP/2 Rapid Reset technique, which is based on stream multiplexing that has affected multiple Internet infrastructure companies.
Google states that the attacks using this zero-day technique started in late August and are still ongoing, targeting major infrastructure providers, including Google services, Google Cloud infrastructure, and its customers. Google pointed out it was able to mitigate the attack.
“Our investigation revealed that the attack was using a novel “Rapid Reset” technique that leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol. We provide further analysis of this new Rapid Reset technique and discuss the evolution of Layer 7 attacks in a companion blog.” reads the post published by Google.
The collective susceptibility to this attack is being tracked by the IT giant as CVE-2023-44487 (CVSS score of 7.5).
Amazon announced the mitigation of attacks using this technique and that reached 155 million requests per second (Amazon), while Claudflare observed attacks reaching 201 million rps.
“This attack was made possible by abusing some features of the HTTP/2 protocol and server implementation details (see CVE-2023-44487 for details). Because the attack abuses an underlying weakness in the HTTP/2 protocol, we believe any vendor that has implemented HTTP/2 will be subject to the attack. This included every modern web server.” states Cloudflare.
The attack technique abuses HTTP/2’s stream cancellation feature. The attackers continuously send and cancel requests to the target server causing a DOS condition.
Google researchers explained that the HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol allows the client to unilaterally request a cancelation.
“This attack is called Rapid Reset because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open.” continues Google.
In HTTP/2 Rapid Reset attack, the client opens a large number of streams at once, but doesn’t wait for a response to each request stream from the server or proxy and cancels each request immediately.
Upon immediately resetting streams each connection can have an indefinite number of requests in flight.
Through deliberate request cancellations, the attacker guarantees that the maximum limit of concurrent open streams is never surpassed. As a result, the count of in-flight requests becomes solely contingent on the available network bandwidth, with the round-trip time (RTT) no longer exerting an influence.
“Any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack. Web applications, services, and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable. Organizations should verify that any servers they run that support HTTP/2 are not vulnerable, or apply vendor patches for CVE-2023-44487 to limit impact from this attack vector.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – DDoS, HTTP/2 Rapid Reset)