A recently discovered HTTP/2 protocol-based Distributed-Denial-of-Service (DDoS) vulnerability has been identified by multiple cloud service providers. This vulnerability enables attackers to achieve an unprecedented record of 398 million requests per second. This vulnerability has been identified as CVE-2023-44487, potentially making it one of the largest layer 7 DDoS attacks ever recorded.
What is HTTP/2 Rapid Reset?
HTTP/2 represents an innovative advancement in the HTTP protocol, emphasizing superior webpage performance and faster loading speeds. In comparison to HTTP/1.1, it employs multiplexing, allowing concurrent processing of multiple requests and responses, significantly reducing latency. Furthermore, HTTP/2 incorporates header compression and server push features, dramatically optimizing data transfer efficiency. Thanks to these advantages, HTTP/2 is gradually being adopted by major websites and applications, heralding the arrival of a new era on the internet.
However, the widespread adoption of HTTP/2 also brings new security challenges. The efficiency in performance has vulnerabilities: in pursuit of extreme processing performance, HTTP/2 supports concurrent TCP requests and permits rapid stream resets (RST_Stream) before the server responds to conserve bandwidth. Attackers have exploited this. They frequently send a large number of requests to the server and quickly initiate resets just before the server responds, forcing the server to reset streams while processing requests at high speed. This strategy rapidly depletes the server’s resources, enabling successful DDoS attacks.
Previously, attackers also initiated multiple stream requests for a significant amount of data and manipulated window sizes and stream priorities, forcing the server to queue data one byte at a time, depleting resources in the process. Similarly, attackers would continuously send pings to HTTP/2 nodes, causing backlogged responses on the other end, consuming significant CPU and memory resources, rendering the server unresponsive.
How Can NSFOCUS Anti-DDoS Solution Help to Protect Against HTTP/2 Rapid Reset DDoS Attacks?
Session interception
To counter these attacks, measures can be taken at the session level by limiting new connections and concurrency to resist frequent abnormal requests, thereby intercepting abnormal sessions.
Six Algorithms Defending against HTTP/2 Rapid Reset DDoS Attacks
When dealing with large-scale attacks that mimic normal but have low frequency, relying solely on session control may not be enough. In 2022, NSFOCUS ADS (Anti-DDoS System) introduced six major protection algorithms tailored to the characteristics of HTTP/2. After a year of practical application and market testing, we have accumulated extensive protection experience.
The algorithms we employ can accurately identify the authenticity of the clients, ensuring that malicious requests cannot pass through. Additionally, we support protection by sending probe frames based on the protection algorithms and perform RFC validation on HTTP/2 frames to filter out non-standard requests. Under the protection policies of ADS, spoofed requests cannot reach the server, ensuring that server resources are used efficiently and are not maliciously consumed.
- Supports six algorithms defending against the HTTP/2 Rapid Reset DDoS attacks for client authenticity verification;
- Supports sending probe frames based on configured protection algorithms (e.g., 302);
- Supports RFC validation on HTTP/2 frames to identify, discard and blacklist non-standard messages.
As technologies evolve rapidly, the emergence of new technologies always comes with new challenges. The advent of HTTP/2 undeniably brought a significant leap in our network experience, but it also revealed new security vulnerabilities. NSFOCUS has maintained a vigilant focus on emerging technologies and the ever-evolving landscape of cybersecurity threats. Our commitment to ongoing research and development has led to the creation of advanced protection policies, ensuring that we deliver state-of-the-art, efficient, and resilient security solutions to our valued customers.
What Should Organizations Do?
- Organizations must prioritize immediate system updates to ensure protection against these highly disruptive cyber threats.
- This vulnerability is primarily targeted at layer 7 rather than layer 3 or 4. NSFOCUS recommends users deploy appropriate Anti-DDoS solutions and WAF solutions to further improve security and availability.
- If conditions permit, NSFOCUS recommends disabling HTTP/2 web services to circumvent the flaw altogether until a hotfix patch is available.