Overview
On October 10th, 2023, Google disclosed a zero-day vulnerability in the HTTP/2 protocol, resulting in the most significant attack reaching up to 398 million requests per second. Cybersecurity and Infrastructure Security Agency (CISA) also released an advisory on this DDoS attack on the same day. This vulnerability has been exploited in the wild from August 2023 through October 2023. This HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests to generate high traffic on the targeted HTTP/2 servers. Attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion. FortiGuard Labs identified the Distributed Denial-of-Service (DDoS) attack technique is used in the wild for the CVE-2023-44487 vulnerability. This DDoS attack, known as 'HTTP/2 Rapid Reset', leverages a flaw in the implementation of protocol HTTP/2 and classified this vulnerability CVSS rating of 7.0 (High Severity).
What is the Novel HTTP/2 Rapid Reset Global Attack?
The 'Rapid Reset' technique exploits the 'stream multiplexing' feature of HTTP/2, where attackers repeatedly send and then immediately cancel numerous requests. This action significantly increases server-side workload while keeping the attacker's resource costs minimal. By leveraging this feature, the attack overwhelms the target website or application, potentially causing it to malfunction or become unresponsive. The HTTP/2 includes a safety mechanism designed to limit the number of active streams, aiming to protect against Denial of Service (DoS) attacks. However, this safeguard is not always effective. The protocol allows clients to cancel streams unilaterally, without requiring the server's approval. Attackers exploit this capability, making it possible to flood the server with rapid sequence of requests and cancellations. Botnets can be utilized to generate an enormous volume of these requests, significantly amplifying the attack and posing a severe threat to the targeted web infrastructure. This method of attack is particularly insidious because it exploits a standard feature of the protocol rather than a flaw or bug. The CVE-2023-44487 vulnerability highlights a specific instance where web servers are impacted by this kind of load increase due to rapid stream generation and cancellation. This vulnerability can lead to a Denial of Service (DoS) condition, severely disrupting normal operations. Organizations using HTTP/2-enabled web servers are advised to contact their web server vendors to obtain and implement the necessary patches to mitigate this vulnerability. Ensuring these updates are applied is crucial to maintaining the resilience and stability of web services against such sophisticated DoS attacks.
FortiWeb Protection
Fortinet FortiGuard Threat Research team recommends deploying application layer protection services such as FortiWeb-Web Application Firewall (WAF) to protect web applications against DoS attacks. In the FortiWeb GUI interface you can configure HTTP/2 RST Stream and HTTP/2 RST Stream Frequency in HTTP Protocol Constraints for protection against HTTP/2 Rapid Reset Attack. FortiWeb -> Web Protection -> Protocol -> HTTP, select Create New or Edit an existing entry.
Diagram 2: HTTP RST Stream Options
Consequently, Fortinet recommends other mitigation techniques by deploying an Application Delivery Controller service for load balancing, such as FortiADC, which will improve security posture. FortiGuard highly recommends restricting Internet access to specific sources as needed and applicable.
The Fortinet FortiGuard Threat Research team will monitor this vulnerability vigilantly to preempt potential exploits. Fortinet remains committed to promptly delivering patches, updates, and pertinent information as necessary.
References:
HTTP/2 Rapid Reset Attack | Outbreak Alert | FortiGuard Labs
https://www.fortiguard.com/threat-signal-report/5286/http-2-rapid-reset-attack-cve-2023-44487
Intrusion Prevention | FortiGuard Labs (fortinet.com)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487
