iTnews Asia
  • Home
  • News
  • Security

HTTP2 zero-day enabled record-setting DDoS attacks

HTTP2 zero-day enabled record-setting DDoS attacks

Vendors scramble to patch Rapid Reset vulnerability.

By Richard Chirgwin on Oct 11, 2023 10:53AM

Web server vendors have been busy responding to an HTTP2 protocol vulnerability which Google said has enabled high-capacity DDoS attacks it has observed since August 2023.

Tagged as CVE-2023-44487, what Google and others found is that HTTP2’s ability to support multiple streams in a TCP session is vulnerable to what it’s dubbed a “Rapid Reset” attack.

In a blog post, Google said one Rapid Reset attack it observed generated a traffic peak of 398 million requests per second.

While Google said its infrastructure was able to withstand the attack, a “coordinated effort” was needed to understand the attack mechanics and mitigations.

In a technical blog post, Google described the Rapid Reset problem in detail.

In brief: the attacker’s client opens a large number of streams per TCP session to the server, and immediately cancels those requests, which can lead to resource exhaustion in the server.

“The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly cancelling the requests, the attacker never exceeds the limit on the number of concurrent open streams," the post states.

“In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for cancelled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource.”

At the same time, the attacking client needs less capacity: “Cancelling the requests before a response is written reduces downlink (server/proxy to attacker) bandwidth.”

Cloudflare has also written up Rapid Reset, adding it was “concerning ... that the attacker was able to generate such an attack with a botnet of merely 20,000 machines".

Industry response

Fixes have already been issued in a large number of affected products (a complete list is at the vulnerability’s CVE entry).

Products already patched include Eclipse’s Jetty project; Swift; the NGHTTP2 library; Alibaba’s Tengine; Apache Tomcat; some F5 Big-IP products; Bugzilla’s Proxmox; FreeBSD; Golang; Facebook’s Proxygen; and more.

Microsoft and AWS have issued their own advice on how to prevent HTTP2 Rapid Reset attacks.

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cloudflare google http2 microsoft security software

Related Articles

  • Ransomware gang Qilin claims attack on Japan’s Asahi breweries
  • IMDA and Enterprise Singapore launch SME-focused cybersecurity initiative
  • Cyberthreats are now targeting critical infrastructure on a larger scale
  • Gemini vulnerabilities threaten potential exposure of user data
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

PhilHealth estimates 13 to 20 million members affected by data breach

PhilHealth estimates 13 to 20 million members affected by data breach
IMDA and Enterprise Singapore launch SME-focused cybersecurity initiative

IMDA and Enterprise Singapore launch SME-focused cybersecurity initiative
Indonesia's national data centre suffers ransomware attack

Indonesia's national data centre suffers ransomware attack
Ransomware gang Qilin claims attack on Japan’s Asahi breweries

Ransomware gang Qilin claims attack on Japan’s Asahi breweries
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.