HTTP/2 Rapid Reset Vulnerability (CVE-2023-44487) Attack Advisory
An emerging threat, the HTTP/2 Rapid Reset Vulnerability (CVE-2023-44487), has been identified as a new application layer denial-of-service attack that brings a significant risk to network security. This vulnerability allows attackers to exploit the HTTP/2 protocol's design and any organizations running web, application, API services using HTTP/2 protocol may be at risk from this attack. This article outlines the nature of the threat, its implications, and recommended mitigation measures.
Threat Description
The HTTP/2 Rapid Reset Vulnerability (CVE-2023-44487) leverages the characteristics of the HTTP/2 protocol. Unlike HTTP/1.1, HTTP/2 permits multiplexing and concurrency, where multiple data streams can be established much more efficiently within a single TCP connection. The vulnerability allows malicious actors to bypass server limits on data streams by issuing reset stream packets immediately after requesting a new stream. Some bot exploits are known to request a large number of streams within a single TCP connection. Thereby, the servers may fail to clean up closed streams promptly, placing stress on the servers, then eventually disrupting services due to resource exhaustion.
Threat Actors
The attackers have harnessed botnets infected with malware scripts, which can initiate TCP sessions independently. They are coordinated by command-and-control servers (C2s), instructing them to initiate rapid reset attacks. In a recent incident, around 20,000 botnets participated in a DDoS attack, possibly including those monitored by A10 Research Team.
Implications
- Stealthy Nature: It’s initiated through widely-adopted HTTP/2 protocol, and the attack itself is a non-reflection, non-volumetric and mostly encrypted. Therefore, it would be less visible from network-based traffic monitoring and DDoS detection systems.
- L7 Application Attack: This leverages a flaw in the stream multiplexing feature of HTTP/2 protocol, which makes any HTTP/2-enabled servers and proxies on the internet be vulnerable and at risk from this attack.
- DDoS Attacks: Botnets are being actively harnessed to exploit this vulnerability to launch large-scale Distributed Denial of Service (DDoS) attacks.
Mitigation Strategy
Here are a couple of approaches and strategies to protect your services against HTTP/2 Rapid Reset attack.
- Patch HTTP/2 servers: Any organization who have HTTP/2-enabled system should assess their exposure to this issue by referring to CVE-2023-44487 or vender’s advisory, and take appropriate remedies including software patches and updates as soon as possible.
- Leverage HTTP/2 capable HTTP proxy or application delivery controller (ADC): Rate limiting HTTP/2 request alone may not completely remediate this vulnerability because it tends to affect the number of legitimate requests. In addition, without understanding HTTP/2 request header, it will not be able to identify either legitimate request or the attack. This is where the ADC (or HTTP proxy) comes in, as ADC establishes a connection from a source and handles HTTP/2 request on behalf of the backend servers. ADC can parse and validate the request, and apply countermeasures; for example - monitoring HEADER and RST_STREM frames counters and set the limit of frames or concurrent streams on a connection.
- IP blocklists: Regularly updating and maintaining IP blocklists to block traffic from known botnets is a fundamental security practice. Blocking traffic from participating HTTP/2 attackers during the attack can substantially mitigate the threat.
- Leverage network filters: It’s recommended to implement geolocation and customizable filters to restrict incoming HTTP traffic. These filters can generally help identify and block potentially malicious traffic.
- Per-source rate limiting: Typical destination-based rate limiting is not effective as it will not distinguish between legitimate and attack requests. Applying per-source rate limiting on the on the inline network security device such as firewall or DDoS protection, can help prevent a single client from opening an excessive number of HTTP streams in case infected bots are repeatedly sending HTTP/2 Rapid Reset attack. It will be better practice if per-source rate limiting can be applied to IPs listed on the maintained IP block list.
- Collaborate: It’s important to share threat intelligence with security communities, peers, and industry partners. Collaborative efforts can lead to quicker identification and mitigation of emerging threats.
How A10 Can Help
Thunder ADC supports HTTP/2 protocol VIP (or virtual server) and has built-in control frame limits that can mitigate HTTP/2 Rapid Reset attack. Refer to the A10 Security Advisory for CVE-2023-44487 for more details. With identifying the attackers IPs on the ADC, the feedback helps build an effective IP block list that can be used as the first line of defense on the firewall or DDoS protection system such as A10 Thunder TPS. Thunder TPS enables per-source rate limiting using the maintained IP block list and/or threat intelligence lists for the known botnets, dropping unwanted traffic before reaching the HTTP/2 server or ADC.
Conclusion
The HTTP/2 Rapid Reset Vulnerability poses a serious threat to network security, potentially leading to disruptive DDoS attacks. As attackers increasingly exploit this vulnerability with botnets, organizations must take proactive measures to protect their network infrastructure and services. Combining Thunder ADC, Thunder TPS, IP blocklists, and support from A10 Research Team will help in mitigating the impact of this vulnerability. Collaboration within the security community is essential to stay ahead of emerging threats and protect against future attacks.