iTnews Asia
  • Home
  • News
  • Security

HTTP2 zero-day enabled record-setting DDoS attacks

HTTP2 zero-day enabled record-setting DDoS attacks

Vendors scramble to patch Rapid Reset vulnerability.

By Richard Chirgwin on Oct 11, 2023 10:53AM

Web server vendors have been busy responding to an HTTP2 protocol vulnerability which Google said has enabled high-capacity DDoS attacks it has observed since August 2023.

Tagged as CVE-2023-44487, what Google and others found is that HTTP2’s ability to support multiple streams in a TCP session is vulnerable to what it’s dubbed a “Rapid Reset” attack.

In a blog post, Google said one Rapid Reset attack it observed generated a traffic peak of 398 million requests per second.

While Google said its infrastructure was able to withstand the attack, a “coordinated effort” was needed to understand the attack mechanics and mitigations.

In a technical blog post, Google described the Rapid Reset problem in detail.

In brief: the attacker’s client opens a large number of streams per TCP session to the server, and immediately cancels those requests, which can lead to resource exhaustion in the server.

“The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly cancelling the requests, the attacker never exceeds the limit on the number of concurrent open streams," the post states.

“In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for cancelled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource.”

At the same time, the attacking client needs less capacity: “Cancelling the requests before a response is written reduces downlink (server/proxy to attacker) bandwidth.”

Cloudflare has also written up Rapid Reset, adding it was “concerning ... that the attacker was able to generate such an attack with a botnet of merely 20,000 machines".

Industry response

Fixes have already been issued in a large number of affected products (a complete list is at the vulnerability’s CVE entry).

Products already patched include Eclipse’s Jetty project; Swift; the NGHTTP2 library; Alibaba’s Tengine; Apache Tomcat; some F5 Big-IP products; Bugzilla’s Proxmox; FreeBSD; Golang; Facebook’s Proxygen; and more.

Microsoft and AWS have issued their own advice on how to prevent HTTP2 Rapid Reset attacks.

To reach the editorial team on your feedback, story ideas and pitches, contact them here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
cloudflare google http2 microsoft security software

Related Articles

  • Proofpoint CEO: A tool-based approach for cybersecurity is impractical
  • Akamai: AI-security is both a security imperative and an economic necessity
  • The real-life Tom & Jerry chase
  • How can we bolster our resilience against AI-enabled e-mail attacks?
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Proofpoint CEO: A tool-based approach for cybersecurity is impractical

Proofpoint CEO: A tool-based approach for cybersecurity is impractical
The real-life Tom & Jerry chase

The real-life Tom & Jerry chase
How can we bolster our resilience against AI-enabled e-mail attacks?

How can we bolster our resilience against AI-enabled e-mail attacks?
Akamai: AI-security is both a security imperative and an economic necessity

Akamai: AI-security is both a security imperative and an economic necessity
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of Lighthouse Independent Media's Privacy Policy and Terms & Conditions.