Detect & Mitigate HTTP/2: Rapid Reset Vulnerabilities, Adoption, impact mitigations for CVE-2023-44487

HTTP/2, Rapid Reset, Explaination, vulenrability, DDoS attacks, zero day, CVE-2023-44487

HTTP/2, Rapid Reset, Explaination, vulenrability, DDoS attacks, zero day, CVE-2023-44487

In what could be the biggest DDoS ever registered and in a month already full of advisories like LIBCURL Vulnerability HTTP/2 has been affected by a vulnerability CVE-2023-44487 aka Rapid Reset that could impact basically every web server and has been exploited in the wild. This blog aims to shed light on various aspects of HTTP/2, answering key questions that many have about this web protocol’s vulnerabilities and mitigations. The attackers leveraged this vulnerability to deploy a massive DDoS attack: Amazon mitigated attacks at a rate of 155 million requests per second, Cloudflare at 201 million rps, and Google endured a record-breaking 398 million rps. This vulnerability was under active attack in August.

What is HTTP/2?

HTTP/2 is the second major version of the HTTP network protocol, used by the World Wide Web. It brings key improvements over HTTP 1.1, such as smaller header sizes and multiplexing—the ability to send multiple requests for data in parallel over a single TCP connection. Unlike HTTP 1.1, which is text-based, HTTP/2 is binary-based, making it more compact and more efficient in terms of parsing.

HTTP/2, Rapid Reset, Explaination, vulenrability, DDoS attacks, zero day,

for each element of that page (CSS, images etc) HTTP 2 is a binary protocol that utilises multiplexing, which allows multiple requests and responses to be sent simultaneously over a single connection

HTTP/2, Rapid Reset, Explaination, vulenrability, DDoS attacks, zero day,

Daniel Cuthbert has done a fantastic analysis on HTTP 1 vs 2 and Rapid Reset vulnerability

Is HTTP/2 Vulnerable?

The short answer is yes. Like any technology, HTTP/2 is not immune to vulnerabilities. A notable example is CVE-2023-44487, a bug that exploits the HTTP/2 protocol’s feature called “streams.” Streams are multiplexed requests and responses with unique identifiers. The vulnerability lies in the RST_STREAM frame, which allows for immediate termination of a stream. Malicious actors have found ways to abuse this feature for DDoS attacks, making it a significant security concern.

Vendor Advisories and Statements for CVE-2023-44487 Rapid Reset

Several vendors have issued advisories and fixes for this vulnerability:

  • Apache Tomcat: Fixed in 8.5.94
  • AWS: No statement as of yet
  • F5: No statement as of yet
  • Microsoft IIS: No statement as of yet
  • Microsoft MsQuic: Fixed in 2.2.3
  • Nginx: Full details in their blog
  • nghttp2 library: Fixed in 1.57.0

CISA Advisory CVE-2023-44487 Rapid Reset

The Cybersecurity and Infrastructure Security Agency (CISA) has also advised on this vulnerability. For more details, you can refer to CISA’s advisory on CVE-2023-44487.

Why is HTTP/2 Not Widely Used?

Despite its advantages, HTTP/2 has not seen universal adoption. Several factors contribute to this:

  1. Compatibility Issues: Older systems and browsers may not support HTTP/2, making it less appealing for websites that cater to a broad audience.
  2. Lack of Awareness: Many website owners are not fully aware of the benefits that HTTP/2 can bring, leading to slower adoption rates.
  3. Server Updates: Transitioning to HTTP/2 often requires updates to web servers, which some organizations may find cumbersome or risky.

How to Change from HTTP 1.1 to HTTP 2?

Transitioning from HTTP 1.1 to HTTP/2 is generally straightforward but requires careful planning:

  1. Server Software: Ensure your web server software supports HTTP/2. Popular web servers like Apache and Nginx have HTTP/2 support.
  2. SSL/TLS: HTTP/2 requires SSL/TLS for secure connections, so make sure you have an SSL certificate installed.
  3. Configuration: Update your web server’s configuration files to enable HTTP/2.
  4. Testing: Before fully transitioning, test the HTTP/2 settings on a staging server to identify any issues.
  5. Monitoring: After the transition, monitor performance and error logs to ensure everything is running smoothly.

Is HTTP 1.1 Still Being Used?

Yes, HTTP 1.1 is far from obsolete. Many older systems and websites still use HTTP 1.1 due to compatibility reasons, lack of resources, or simply because they don’t require the performance improvements that HTTP/2 offers.

The Scale of the Attack: A New Benchmark in Cyber Threats

On August 25, 2023, the cybersecurity community was put on high alert. Automated DDoS systems began detecting and mitigating unusually large HTTP attacks against numerous targets. While DDoS attacks are not new, the scale of this particular attack was unprecedented. The attack eventually peaked at an astonishing 201 million requests per second, nearly tripling the size of the previous largest attack on record.

The Botnet Factor

What makes this attack even more alarming is the relatively small size of the botnet used to execute it. The attacker generated this massive attack using a botnet of just 20,000 machines. To put this in perspective, botnets today consist of hundreds of thousands or even millions of machines.

The Potential for Widespread Impact

The implications are staggering because the entire web typically sees only between 1–3 billion requests per second. Using this method, it’s conceivable that an attacker could focus an entire web’s worth of requests on a small number of targets, effectively crippling them. This raises serious questions about the preparedness of current cybersecurity measures to handle attacks of this scale.

Mitigation Strategies for CVE-2023-44487 Rapid Reset

One way to mitigate the vulnerabilities in HTTP/2 is to disable it on your web server. Microsoft provides a guide on how to do this using the Registry Editor. However, it’s crucial to exercise caution when using the Registry Editor, as incorrect usage can lead to severe system issues.

Here’s a step-by-step guide based on Microsoft’s recommendations:

  1. Open Registry Editor: Click Start, click Run, type Regedit in the Open box, and click OK.
  2. Locate Subkey: Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters.
  3. Edit DWORD Values: Set DWORD type values EnableHttp2TIs and EnableHttp2Cleartext to 0 to disable HTTP/2 or 1 to enable it.
  4. Restart: Exit the Registry Editor and restart your computer.

For more details, you can refer to Microsoft’s update guide on CVE-2023-44487.

Disabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:

Testing and Scanning Tools for CVE-2023-44487

For those interested in testing their web servers for HTTP/2 support or vulnerability to CVE-2023-44487, you can use this HTTP/2 scanner Python script. Credit to Daniel Cuthbert

Alternatively, you can use this Python script, please use at your own risk, and review the code before running it

How Phoenix Security Can Help Identify HTTP/2 Vulnerability CVE-2023-44487 in Your Products

HTTP/2, Explaination, vulenrability, DDoS attacks, zero day, CVE-2023-44487 , phoenix security

Phoenix Security serves as a beacon for security professionals aiming to pinpoint the vulnerabilities at scale, while CVE-2023-44487 is fairly new you should be able to identify the vulnerabilities in the vulnerability screen and asset screen vulnerability within their systems.

HTTP/2, Explaination, vulenrability, DDoS attacks, zero day, CVE-2023-44487 , phoenix security

You can also scan with the above scripts and import the results into phoenix to have an asset inventory

Previous Issues of Vulnerability Weekly

Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Critical Alert: Discover the implications of the Lace Tempest CVE-2023-47246 vulnerability in SysAid software, exploited by the notorious ransomware group TA505 also known as cl0p. Learn path traversal flaw, Microsoft’s insights, and urgent patching advice. Stay informed on the latest in cybersecurity with Phoenix Security’s insights and solutions for mitigating this high-impact ransomware threat. Focus on your vulnerability management program and application security program
Francesco Cipollone

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

x Logo: ShieldPRO
This Site Is Protected By