iTnews Asia
  • Home
  • News
  • Security

HTTP2 zero-day enabled record-setting DDoS attacks

HTTP2 zero-day enabled record-setting DDoS attacks

Vendors scramble to patch Rapid Reset vulnerability.

By Richard Chirgwin on Oct 11, 2023 10:53AM

Web server vendors have been busy responding to an HTTP2 protocol vulnerability which Google said has enabled high-capacity DDoS attacks it has observed since August 2023.

Tagged as CVE-2023-44487, what Google and others found is that HTTP2’s ability to support multiple streams in a TCP session is vulnerable to what it’s dubbed a “Rapid Reset” attack.

In a blog post, Google said one Rapid Reset attack it observed generated a traffic peak of 398 million requests per second.

While Google said its infrastructure was able to withstand the attack, a “coordinated effort” was needed to understand the attack mechanics and mitigations.

In a technical blog post, Google described the Rapid Reset problem in detail.

In brief: the attacker’s client opens a large number of streams per TCP session to the server, and immediately cancels those requests, which can lead to resource exhaustion in the server.

“The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly cancelling the requests, the attacker never exceeds the limit on the number of concurrent open streams," the post states.

“In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for cancelled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource.”

At the same time, the attacking client needs less capacity: “Cancelling the requests before a response is written reduces downlink (server/proxy to attacker) bandwidth.”

Cloudflare has also written up Rapid Reset, adding it was “concerning ... that the attacker was able to generate such an attack with a botnet of merely 20,000 machines".

Industry response

Fixes have already been issued in a large number of affected products (a complete list is at the vulnerability’s CVE entry).

Products already patched include Eclipse’s Jetty project; Swift; the NGHTTP2 library; Alibaba’s Tengine; Apache Tomcat; some F5 Big-IP products; Bugzilla’s Proxmox; FreeBSD; Golang; Facebook’s Proxygen; and more.

Microsoft and AWS have issued their own advice on how to prevent HTTP2 Rapid Reset attacks.

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cloudflare google http2 microsoft security software

Related Articles

  • Your organisation’s physical security can be a gateway for cybercriminals
  • The best way to outsmart your threat actors is to think like one
  • How cybercriminals are exploiting LLMs to harm your business
  • Is identity now the next parameter of cybersecurity breaches?
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

The best way to outsmart your threat actors is to think like one

The best way to outsmart your threat actors is to think like one
What are the most pressing cyber security concerns going into 2025?

What are the most pressing cyber security concerns going into 2025?
Philippines Maxicare, Jollibee Foods Corporation hit by data breach

Philippines Maxicare, Jollibee Foods Corporation hit by data breach
How cybercriminals are exploiting LLMs to harm your business

How cybercriminals are exploiting LLMs to harm your business
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.