October 27, 2023

HTTP/2 Rapid Reset: A New Vulnerability in the Protocol and the Impact on Cloud Services

Let's Explore the HTTP/2 Rapid Reset Vulnerability: How It Works, Its Implications, and the Security Measures You Need for Your Web Infrastructure

Introduction

Recently, tech giants such as Google, Amazon, Microsoft, and Cloudflare have revealed that they have faced massive DDoS attacks against their cloud infrastructure. The attacks were as unique as they were dangerous, exploiting a vulnerability in a key web protocol: HTTP/2. This article aims to explain the severity of the situation and what it means for businesses and individuals using web services.

What is HTTP/2 Rapid Reset?

The vulnerability known as “HTTP/2 Rapid Reset” was reported with the identifier CVE-2023-44487 and exploits a weakness in the HTTP/2 protocol. It does not allow you to take remote control of a server or exfiltrate data, but it does allow attackers to carry out Denial of Service (DoS) attacks. According to Emil Kiner and Tim April of Google Cloud, such a loss of availability can have a “large-scale impact on victim organizations, including loss of business and unavailability of mission-critical applications.”

How Does the Attack Work?

The attack exploits HTTP/2's stream cancellation feature to continuously send and cancel requests, overloading the target server or application and imposing a DoS state. Malicious actors have been using this technique since August to send a barrage of HTTP/2 requests and resets (RST_Stream frames) to a server, asking the server to process them and perform quick resets, thus exceeding its ability to respond to new incoming requests .

Diagram-HTTP2-Reset-Attack

Ineffective Safeguards

HTTP/2 includes a security measure in the form of a parameter that limits the number of simultaneously active flows to prevent DoS attacks. However, this measure is not always effective. The protocol's developers introduced a more efficient measure called request cancellation, which does not interrupt the entire connection, but can be abused.

Technical details

As Google explains in its post on the topic, “the protocol does not require the client and server to coordinate deletion in any way; the client can do it unilaterally.” This means that the client can assume that the deletion will take effect immediately when the server receives the RST_STREAM frame, before any other data is processed from that TCP connection.

Where Does Vulnerability Come From?

The vulnerability is inherent in the specification of the HTTP/2 protocol, developed by the Internet Engineering Task Force (IETF). This protocol has been widely adopted and is the fastest and most efficient successor to the classic HTTP protocol. The vulnerability is therefore relevant for “every modern web server”, as highlighted by Cloudflare's Lucas Pardue and Julien Desgats.

Why is it so Hard to Fix?

Unlike a bug in specific software, which can be fixed by a single entity, a vulnerability in a protocol requires a much more widespread approach to mitigate. Each website implements the specification in its own way, and therefore each organization or individual must work on their own protections.

Open Source as an Advantage

Dan Lorenc, an expert on open source software, suggests that the availability of open source code is an advantage in situations like this. Many web servers have probably copied their HTTP/2 implementation from another source, thus facilitating the deployment of security patches.

What Should Companies Do?

For companies focused on web performance, like us, it is crucial to stay updated on these emerging threats and implement the necessary security patches as soon as possible. It is crucial to consult official resources for the latest patches and apply them to your web servers. However, full adoption of these patches will take years, and some services that have implemented HTTP/2 from scratch may remain vulnerable in the long term.

Conclusion

While recent DDoS attacks were successfully repelled, they revealed the existence of a protocol vulnerability that now needs to be addressed on a global scale. It's a powerful reminder of how crucial it is to maintain a proactive approach to cybersecurity and protecting your digital assets.

For more information on how to protect your infrastructure, please contact us or check out our other blog resources, where we discuss topics such as Linux systems engineering, MySQL, Databases, AWS Cloud and performance optimization.

Do you have doubts? Don't know where to start? Contact us!

We have all the answers to your questions to help you make the right choice.

Chat with us

Chat directly with our presales support.

0256569681

Contact us by phone during office hours 9:30 - 19:30

Contact us online

Open a request directly in the contact area.

INFORMATION

Managed Server Srl is a leading Italian player in providing advanced GNU/Linux system solutions oriented towards high performance. With a low-cost and predictable subscription model, we ensure that our customers have access to advanced technologies in hosting, dedicated servers and cloud services. In addition to this, we offer systems consultancy on Linux systems and specialized maintenance in DBMS, IT Security, Cloud and much more. We stand out for our expertise in hosting leading Open Source CMS such as WordPress, WooCommerce, Drupal, Prestashop, Joomla, OpenCart and Magento, supported by a high-level support and consultancy service suitable for Public Administration, SMEs and any size.

Red Hat, Inc. owns the rights to Red Hat®, RHEL®, RedHat Linux®, and CentOS®; AlmaLinux™ is a trademark of AlmaLinux OS Foundation; Rocky Linux® is a registered trademark of the Rocky Linux Foundation; SUSE® is a registered trademark of SUSE LLC; Canonical Ltd. owns the rights to Ubuntu®; Software in the Public Interest, Inc. holds the rights to Debian®; Linus Torvalds holds the rights to Linux®; FreeBSD® is a registered trademark of The FreeBSD Foundation; NetBSD® is a registered trademark of The NetBSD Foundation; OpenBSD® is a registered trademark of Theo de Raadt. Oracle Corporation owns the rights to Oracle®, MySQL®, and MyRocks®; Percona® is a registered trademark of Percona LLC; MariaDB® is a registered trademark of MariaDB Corporation Ab; REDIS® is a registered trademark of Redis Labs Ltd. F5 Networks, Inc. owns the rights to NGINX® and NGINX Plus®; Varnish® is a registered trademark of Varnish Software AB. Adobe Inc. holds the rights to Magento®; PrestaShop® is a registered trademark of PrestaShop SA; OpenCart® is a registered trademark of OpenCart Limited. Automattic Inc. owns the rights to WordPress®, WooCommerce®, and JetPack®; Open Source Matters, Inc. owns the rights to Joomla®; Dries Buytaert holds the rights to Drupal®. Amazon Web Services, Inc. holds the rights to AWS®; Google LLC holds the rights to Google Cloud™ and Chrome™; Microsoft Corporation holds the rights to Microsoft®, Azure®, and Internet Explorer®; Mozilla Foundation owns the rights to Firefox®. Apache® is a registered trademark of The Apache Software Foundation; PHP® is a registered trademark of the PHP Group. CloudFlare® is a registered trademark of Cloudflare, Inc.; NETSCOUT® is a registered trademark of NETSCOUT Systems Inc.; ElasticSearch®, LogStash®, and Kibana® are registered trademarks of Elastic NV Hetzner Online GmbH owns the rights to Hetzner®; OVHcloud is a registered trademark of OVH Groupe SAS; cPanel®, LLC owns the rights to cPanel®; Plesk® is a registered trademark of Plesk International GmbH; Facebook, Inc. owns the rights to Facebook®. This site is not affiliated, sponsored or otherwise associated with any of the entities mentioned above and does not represent any of these entities in any way. All rights to the brands and product names mentioned are the property of their respective copyright holders. Any other trademarks mentioned belong to their registrants. MANAGED SERVER® is a trademark registered at European level by MANAGED SERVER SRL, Via Enzo Ferrari, 9, 62012 Civitanova Marche (MC), Italy.

Back to top