Over the preceding two months, malevolent actors have exploited a vulnerability in the HTTP/2 web communication protocol, rendering web application servers, load balancers, and web proxies susceptible to distributed denial-of-service (DDoS) attacks of an unprecedented magnitude. Major cloud infrastructure providers like Google, AWS, and Cloudflare, as well as web server vendors, have been collaborating on mitigation strategies and patches within private groups, until the vulnerability was disclosed recently.

Termed the “HTTP/2 Rapid Reset DDoS attacks,” these attacks leverage the stream multiplexing feature of the HTTP/2 protocol, which enables the concurrent transmission of multiple HTTP requests over the same TCP transport connection. These attacks also exploit the client’s ability to unilaterally reset these streams. The vulnerability is documented under CVE-2023-44487, and organizations are urged to verify whether their web server and load balancer providers have issued patches or mitigation recommendations.

Stream multiplexing enhances DDoS attacks

In the previous version of HTTP (HTTP/1), which is still supported by most servers and web clients, multiple requests could be dispatched over a single TCP connection, albeit sequentially. The server would process and respond to these requests in the order they were received.  HTTP/2, on the other hand, permits the simultaneous transmission of multiple requests (referred to as streams) over a TCP connection, irrespective of their order. This is achievable through the assignment of a unique ID to each stream, allowing the server to distinguish the source of each frame and respond accordingly. This mechanism, known as stream multiplexing, optimizes the utilization of TCP connections and accelerates page loading times.

Consider a contemporary web page featuring numerous resources, third-party scripts, and images sourced from various locations. When accessed via HTTP/2, a web browser will initiate the parallel loading of these resources, prioritizing those visible to the user. If the user quickly navigates away from the page, the browser can terminate the streams associated with resources that have not fully loaded or rendered, without closing the entire connection and commencing new requests.

Since late 2021, the majority of Layer 7 DDoS attacks observed on Google’s first-party services and Google Cloud projects safeguarded by Cloud Armor have been founded on HTTP/2. This new attack method exploits the efficiency inherent in HTTP/2, making DDoS attacks more effective.

Circumventing concurrent stream limits with Rapid Resets

The protocol’s developers were aware from the beginning that allowing concurrent streams might lead to a server’s resource exhaustion, creating a denial-of-service scenario. Hence, they incorporated a setting called “SETTINGS_MAX_CONCURRENT_STREAMS,” which the server conveys to endpoint clients during the initial connection via a SETTINGS frame.

By default, this setting is unrestricted. However, the protocol’s designers recommend that it should not be set lower than 100 to maintain efficient parallelism. Consequently, many clients do not wait for the SETTINGS frame but assume a minimum limit of 100 and transmit 100 frames from the outset.

The challenge arises with another feature called “RST_STREAM” or “reset stream,” which is a frame type a client can transmit to a server, indicating the cancellation of a previously opened stream ID. This function is beneficial because it informs the server to cease responding to an earlier request, thereby conserving bandwidth.

Nonetheless, sending an RST_STREAM frame removes the targeted stream from the maximum concurrent streams limit, allowing the client to immediately initiate a new stream after resetting a prior one. This implies that even with a concurrent stream limit of 100, the client can consecutively open and reset hundreds of streams over the same TCP connection.

The server still expends resources to process RST_STREAM frames, which, though minor, accumulate rapidly with a large number of requests. Exploiting this technique, attackers have launched massive DDoS attacks against servers hosted by Google, Cloudflare, and AWS.

Mitigating and patching HTTP/2 DDoS attacks

Mitigating these attacks is intricate because RST_STREAM cancellations serve legitimate purposes. Hence, each server owner must discern when abuse is occurring and determine an appropriate response, contingent on connection statistics and business logic. For instance, if a TCP connection comprises more than 100 requests and the client cancels over 50% of them, the connection might be considered abusive. Responses could range from issuing forceful GOAWAY frames to instantly closing the TCP connection.

An alternative response might involve temporarily blocking an offending IP address from accessing the service via HTTP/2 and relegating it to HTTP 1.x only. However, IP filters may pose challenges as multiple clients can share the same IP address, and not all of them might be malicious. By restricting requests to HTTP 1.x, non-malicious clients behind a filtered IP can still access the web service, albeit with a performance downgrade.

Developers of Nginx, a popular reverse proxy and load balancer, have introduced mitigations based on existing server features, like keepalive_requests, limit_conn, and limit_req. They are also preparing a patch to further limit the impact of such attacks.

Other infrastructure companies, such as Microsoft, AWS, and F5, and web server or load balancing software developers have shared their mitigation strategies and patches. Users can refer to the official CVE tracker entry for updated responses from vendors.

About Purple Shield Security

Purple Shield Security is not your typical cybersecurity consulting firm. We are the guardians of your digital realm, committed to protecting your business from the constantly evolving landscape of cyber threats. With a dedicated team of passionate security professionals by your side, we go above and beyond mere data and system protection – we provide you with peace of mind. Our comprehensive range of services includes Managed Cybersecurity Services, Security Assessments, Penetration Testing, Incident Response, and more. By harnessing cutting-edge solutions and leveraging our expertise, we empower you to fortify your web applications and minimize vulnerability to attacks.

Don’t wait to secure your business. Get in touch with us today and discover how Purple Shield Security can revolutionize your cybersecurity defenses.

 

#cybersecuritynews #securitynews #hacking #datasecurity #ddosattack #ddos #cloudsecurity #zeroday