Zero-Day Attacks Exploit 'Rapid Reset' Weakness in HTTP/2Web Servers Need Patching; Google, Amazon, Cloudflare See Massive DDoS Attacks
Any IT administrator who runs or uses web servers with HTTP/2 capabilities should beware a flurry of zero-day attacks that have been causing distributed denials of service, warn security experts.
While vendors have yet to patch all affected software, many have already detailed "configuration changes and other mitigations" that administrators can make immediately, the U.S. Cybersecurity and Infrastructure Security Agency said in a Tuesday security alert.
Attackers have been actively exploiting the HTTP/2 vulnerabilities via so-called rapid request attacks, which can affect servers and also services, applications and APIs. One mitigation to block the attacks is to temporarily disable HTTP/2.
Amazon Web Services, Cloudflare and Google reported seeing the Rapid Reset vulnerability emerge in late August when they were each hit by sudden, massive traffic spikes. They traced the attacks, which can cause distributed-denial-of-service conditions, to a feature in HTTP/2 that allows rapid reset requests to be made, which can overwhelm targeted servers.
A consortium of cloud providers and software vendors have been collaborating since then to develop patches and mitigations, which they began to release Tuesday. Susceptibility to this vulnerability is being tracked as CVE-2023-44487. CISA warns such attacks are continuing.
"Any enterprise or individual that is serving an HTTP-based workload to the Internet may be at risk from this attack," Emil Kiner, a Google product manager, and Tim April, a security reliability engineer at Google, said in a blog post. "Web applications, services and APIs on a server or proxy able to communicate using the HTTP/2 protocol could be vulnerable."
To illustrate the scale of the new attacks, Google said that in August 2022, it faced a then record DDoS attack that peaked at 46 million requests per second. In August, Google said it was hit with a HTTP/2 rapid request attack that was over seven times more powerful, peaking at 398 million requests per second.
"For a sense of scale, this 2 minute attack generated more requests than the total number of article views reported by Wikipedia during the entire month of September," said Google's Kiner and April.
Amazon Web Services said it reported suffering its first DDoS attacks that used an HTTP/2 request flood, "which occurs when a high volume of illegitimate web requests overwhelms a web server's ability to respond to legitimate client requests," on Aug. 28.
While request floods have already been used to effect DDoS attacks, HTTP/2 has features attackers can exploit in new ways. "HTTP/2 allows for multiple distinct logical connections to be multiplexed over a single HTTP session," Mark Ryland, a director of security at Amazon, said in a blog post. "This is a change from HTTP 1.x, in which each HTTP session was logically distinct."
Attackers can abuse this by sending "multiple HTTP/2 connections with requests and resets in rapid succession," he said, leading the server to generate logs for nonexistent events, which can lead to it becoming overwhelmed.
"A client can repeatedly make a request for a new multiplex stream and immediately send an
RST_STREAM frame to cancel it," according to a security alert issued by Red Hat. "This creates extra work for the server setting up and tearing down the streams while not hitting any server-side limit for the maximum number of active streams per connection, resulting in a denial of service due to server resource consumption."
"By automating this 'request, cancel, request, cancel' pattern at scale, threat actors overwhelm websites and are able to knock anything that uses HTTP/2 offline," DDoS defense firm Cloudflare said in a blog post.
AWS said it's patched relevant software in its infrastructure and added additional defenses for the "Layer 7 request floods" used in the rapid-reset attacks, as have Google and Cloudflare.
Numerous vendors have released or promised patches to safeguard against HTTP/2 rapid reset attacks that target a vulnerability, including Microsoft. The technology giant said it's "hardened layer 7 protections in our web service implementations and patched services to better protect customers from the impact of these DDoS attacks."
Microsoft has released a list of affected products, which include all currently supported operating systems, and recommends anyone self-hosting web applications or proxies apply patches immediately. For Azure Front Door and Azure Application Gateway customers, it recommends they activate Azure's built-in web application firewall to help block attacks.
Other affected software that will need to be patched includes NGINX open source software for web serving and other functions, F5 BIG-IP load-balancing tools and the Apache HTTP/2 module. Experts say patches are not available for all affected products, and all affected products may have yet to be identified.
AWS said it "recommends customers who operate their own HTTP/2 capable web servers verify with their web server vendor to determine if they are affected and, if so, install the latest patches from their respective vendors to address this issue," it said.
While disabling HTTP/2 is a temporarily mitigation for blocking the rapid reset DDoS attacks, experts do recommend sticking with the protocol, which offers a number of upsides to HTTP/1, including via the targeted functionality.
"Request cancellation is a useful feature," Cloudflare said. "For example, when scrolling a webpage with multiple images, a web browser can cancel images that fall outside the viewport, meaning that images entering it can load faster. HTTP/2 makes this behavior a lot more efficient compared to HTTP/1.1."