On October 10th, Cloudflare, Google, and AWS disclosed a novel zero-day vulnerability attack known as the "HTTP/2 Rapid Reset." This attack exploits a weakness in the HTTP/2 protocol to generate enormous Distributed Denial of Service (DDoS) attacks, up to almost 400 million requests per second (rps).
The CVE-2023-44487 vulnerability takes advantage of the ability of HTTP/2 to allow for multiple distinct logical connections to be multiplexed over a single HTTP session, with the rapid reset attack consisting of multiple HTTP/2 connections with requests and resets in rapid succession. Juho Snellman, staff software engineer at Google, and Daniele Iamartino, staff site reliability engineer at Google, explain:
This attack is called Rapid Reset because it relies on the ability for an endpoint to send an RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled but leaves the HTTP/2 connection open.
Source: Google blog
According to the announcement, Cloudflare had to mitigate in the last two months more than 1100 DDoS attacks with over 10 million rps, and 184 attacks that were greater than the previous DDoS record of 71 million rps. The other providers experienced similar challenges, with Google mitigating an attack that peaked above 398 million rps. Grant Bourzikas, CISO at Cloudflare, writes:
By automating this trivial "request, cancel, request, cancel" pattern at scale, threat actors are able to create a denial of service and take down any server or application running the standard implementation of HTTP/2. Furthermore, one crucial thing to note about the record-breaking attack is that it involved a modestly-sized botnet, consisting of roughly 20,000 machines.
While the primary goal of HTTP/2 was efficiency, the features that make HTTP/2 more efficient can also be used to improve the efficiency of DDoS attacks. Robin Marx, web protocol and performance expert at Akamai, explains why the vulnerability does not affect HTTP/3, while Daniel Bloom, security researcher at Bloom Cyber Defense, has released a non-invasive vulnerability scanning tool to check if web servers are vulnerable to CVE-2023-44487.
Tom Scholl, VP and distinguished engineer at AWS, and Mark Ryland, director of security at Amazon, warn:
Keep in mind that HTTP/2 rapid reset attacks are just a new type of HTTP request flood. To defend against these sorts of DDoS attacks, you can implement an architecture that helps you specifically detect unwanted requests as well as scale to absorb and block those malicious HTTP requests.
Cloud infrastructures are designed with various protections to handle Layer 7 request floods, but Cloudflare, Google, and AWS have implemented additional mitigations for their CDN and WAF that support HTTP/2. They also recommend that customers who operate their own HTTP/2 web servers check with their vendors to determine if they are affected. For example, F5 has released a patch for the NGINX HTTP/2 module that increases system stability and imposes a limit on the number of new streams that can be introduced within one event loop.
AWS provides the AWS Best Practices for DDoS Resiliency whitepaper to reduce the impact of DDoS attacks for applications running on AWS.