Dubbed the Largest DDoS Attack, What is CVE-2023-44487 HTTP/2 ‘Rapid Reset’?


Earlier this week, Amazon Web Services, Cloudflare, and Google jointly disclosed their efforts in combating highly potent HTTP/2-based Distributed Denial of Service (DDoS) attacks using an undisclosed ‘Rapid Reset’ zero-day technique, which is now documented as vulnerability CVE-2023-44487.

This vulnerability has been actively exploited from August 2023 to October 2023 in the wild.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding the detected Rapid Reset vulnerability, advising organizations that offer HTTP/2 services to apply any available patches promptly and to contemplate implementing configuration adjustments and other protective measures discussed in the provided references.

The assault, documented under the vulnerability identifier CVE-2023-44487, sent shockwaves through the cybersecurity community due to its unparalleled scale and destructive potential, with many terming it the largest DDoS attack. 

This article aims to explain CISA’s alert about the CVE-2023-44487 HTTP/2 vulnerability and shed light on the warning for the Rapid Reset DDoS attack, underscoring the need for immediate action.

Unprecedented Rapid Reset DDoS Attack Magnitudes 

The statistics surrounding the ‘Rapid Reset’ DDoS attacks were nothing short of staggering. Amazon successfully mitigated attacks at an astonishing rate of 155 million requests per second, while Cloudflare grappled with an even more overwhelming 201 million requests per second.

In their blog, the IT service management company stated that the attack was nearly 3x bigger than their previous biggest attack on record, which was a 71 million request-per-second DDoS attack

To top it off, Google faced an unprecedented 398 million requests per second during the attacks. This zero-day technique had already been under active assault back in August, prompting heightened concerns in the cybersecurity domain. 

The CVE-2023-44487 HTTP/2 Rapid Reset DDoS Attack Explained 

The ‘Rapid Reset’ attack is a crafty exploitation of the HTTP/2 protocol’s ‘stream multiplexing’ feature. 

This nefarious tactic inundates the server with multiple requests and immediate cancellations, overloading it while keeping attacker costs minimal.

Essentially, it exploits HTTP/2’s unique ability to repeatedly send and cancel requests, rendering the target website or application inoperative. In theory, HTTP/2 includes a protective feature to limit concurrent streams and guard against Denial of Service (DoS) attacks.

However, in practice, this safeguard can fail, as the protocol allows clients to unilaterally cancel streams without server consent. The vulnerability is mercilessly exploited by the ‘Rapid Reset’ technique, posing a grave threat, especially when orchestrated by botnets.

The Biggest DDoS Attack on Record 

The attackers exploited a security vulnerability that affected the very foundation of internet delivery services. As a result, numerous organizations (Microsoft, Cisco, Adobe) and networks found themselves under an unrelenting barrage of malicious traffic, causing widespread outages, service disruptions, and financial losses. 

The vulnerability allows fraudsters to illegally control computer systems, allowing malicious code execution, malware installation, and sensitive data theft.

It was among the ‘Five Actively Exploited Vulnerabilities’ detailed in a recent report: CVE-2023-21608 (Adobe), CVE-2023-20109 (Cisco), CVE-2023-41763 (Microsoft), CVE-2023-36563 (Microsoft), and CVE-2023-44487 (HTTP/2 protocol). 

Rapid Reset DDoS Attack: CISA’s Urgent Warning  

Understanding the severity of the situation, CISA promptly issued a warning to organizations responsible for critical internet delivery services.

The agency urged them to take immediate action by applying patches and other mitigations to address the vulnerability. This call to action was not a suggestion but a necessity, as the consequences of inaction were too dire to contemplate. 

The consequences of not heeding CISA’s warning are severe. Failure to address the security vulnerability promptly could leave organizations vulnerable to relentless DDoS attacks, leading to prolonged downtime, loss of user trust, and substantial financial repercussions. 

To lessen the impact of DoS attacks, organizations can consider adopting proactive measures, utilizing advisories and reports provided by CISA.

These resources, including “Understanding and Responding to Distributed Denial-of-Service Attacks” and “Additional DDoS Guidance for Federal Agencies,” offer valuable insights for addressing the issue.

Rapid Reset DDoS Attack: Collaborative Effort Required 

Given the gravity of the CVE-2023-44487 vulnerability, which heaps additional load on web servers through rapid stream generation and cancellation, addressing this issue is paramount.

Organizations with their own HTTP/2-enabled web servers should work closely with their vendors to swiftly apply necessary patches. This action is crucial to fortify defenses against the emerging threat and protect vital web infrastructures. 

The ‘Rapid Reset’ DDoS attack, with its unprecedented scale and impact, underscores the necessity for a collective and proactive response to evolving cybersecurity challenges.

In a constantly evolving digital landscape, the lessons learned emphasize the importance of vigilance, collaboration, and timely patch management to secure online infrastructure against unforeseen threats. 

Collaboration is essential in mitigating this threat, extending beyond the responsibilities of critical internet service providers.

Technology vendors, internet service providers, and government agencies must unite in this effort, emphasizing collaboration and information sharing to proactively address vulnerabilities before they are exploited by malicious actors.





Source link