Web server vendors have been busy responding to an HTTP2 protocol vulnerability which Google said has enabled high-capacity DDoS attacks it has observed since August 2023.
Tagged as CVE-2023-44487, what Google and others found is that HTTP2’s ability to support multiple streams in a TCP session is vulnerable to what it’s dubbed a “Rapid Reset” attack.
In a blog post, Google said one Rapid Reset attack it observed generated a traffic peak of 398 million requests per second.
While Google said its infrastructure was able to withstand the attack, a “coordinated effort” was needed to understand the attack mechanics and mitigations.
In a technical blog post, Google described the Rapid Reset problem in detail.
In brief: the attacker’s client opens a large number of streams per TCP session to the server, and immediately cancels those requests, which can lead to resource exhaustion in the server.
“The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly cancelling the requests, the attacker never exceeds the limit on the number of concurrent open streams,” the post states.
“In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for cancelled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource.”
At the same time, the attacking client needs less capacity: “Cancelling the requests before a response is written reduces downlink (server/proxy to attacker) bandwidth.”
Cloudflare has also written up Rapid Reset, adding it was “concerning … that the attacker was able to generate such an attack with a botnet of merely 20,000 machines”.
Industry response
Fixes have already been issued in a large number of affected products (a complete list is at the vulnerability’s CVE entry).
Products already patched include Eclipse’s Jetty project; Swift; the NGHTTP2 library; Alibaba’s Tengine; Apache Tomcat; some F5 Big-IP products; Bugzilla’s Proxmox; FreeBSD; Golang; Facebook’s Proxygen; and more.
Microsoft and AWS have issued their own advice on how to prevent HTTP2 Rapid Reset attacks.