Information Risk Management Blog

Rapid reset attacks: A call to action for HTTP/2 users

Written by Aujas Cybersecurity | Nov 9, 2023

Recently, tech giants like Google, Amazon, Microsoft, and Cloudflare reported face-offs against massive Distributed Denial of Service (DDoS) attacks on their cloud systems. DDoS attacks, a well-known internet threat, involves overwhelming a service with malicious requests from multiple sources to make it unavailable for legitimate users.

Over the years, application layer attacks have increased in frequency and complexity. Adversaries are constantly exploiting new technological advancements to develop increasingly sophisticated attacks. One such threat is the HTTP/2 rapid reset attack.

Google recently experienced a string of HTTP/2 rapid reset DDoS attacks peaking at a whopping 398 million requests per second (RPS). This is a massive 7.5 times increase from Google's earlier record in 2022. Google Cloud's Emil Kiner and Tim April emphasized this recently, pointing out that DDoS attacks can severely impact targeted organizations, leading to business losses and the unavailability of critical applications. They noted, "Recovery time from DDoS attacks can extend well beyond the attack's conclusion.”

Understanding HTTP/2 rapid reset attacks

The HTTP/2 rapid reset attack is a recent form of a DDoS threat targeting servers using HTTP/2. It manipulates how HTTP/2 manages connection resets, potentially overwhelming and paralyzing servers.

Simply put, this attack method exploits a feature in HTTP/2 that halts ongoing activities. Adversaries bombard the target server or application with a continuous flow of requests and cancellations, resulting in a DoS situation. Despite measures within HTTP/2 designed to restrict simultaneous activities and prevent DoS attacks, they aren't entirely foolproof.

In response to this, developers introduced an advanced feature named "request cancellation." However, malicious actors have found ways to exploit this functionality. Since late August, these adversaries have been flooding servers with numerous HTTP/2 requests and resets (known as RST Stream frames).

Consequently, servers struggle to manage this influx of requests and rapid cancellations, severely impacting their ability to process new incoming requests. It's akin to a digital onslaught catching these servers off guard.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory regarding this vulnerability, identified as CVE-2023-44487. They recommend organizations providing HTTP/2 services to implement available patches and consider configuration adjustments.

Why should you test for this attack?

As 62% of the internet traffic relies on HTTP/2, testing for HTTP/2 attacks is a critical step in safeguarding your systems against potential vulnerabilities. Here's how it can help:

Uncover weaknesses ahead of adversaries

Anticipating vulnerabilities before they become targets is key. Through proactive system testing, you can detect and address potential weaknesses before they're exploited, putting you in a position of strength.

Confirm the efficacy of your fixes and mitigation settings

For those who have implemented measures to defend against such attacks, testing becomes crucial for validating the effectiveness of applied patches and new configurations.

Enhance surveillance and notifications

Simulated attacks offer an ideal scenario for testing the reliability of your monitoring systems and alert mechanisms, ensuring they're finely tuned to identify and respond to genuine threats effectively.

Adhering to compliance and reporting standards

Regular testing not only aids in meeting compliance standards but also delivers essential documentation to stakeholders regarding the robustness of your systems' resilience.

The Aujas Cybersecurity advantage

The DDoS Threat Simulation service provided by Aujas Cybersecurity in collaboration with RedWolf Security Inc. offers a strategic approach to evaluate your infrastructure, affirm your defenses, and strengthen your overall security stance. Instead of waiting for an attack, take proactive measures to fortify your infrastructure with:

End-to-end testing capabilities

Tailored to replicate the specific attack method of the HTTP/2 rapid reset, an advanced module ensures a highly realistic testing environment for your assessments.

Expert guidance and support

Our dedicated team of experts is available around the clock to assist you through the testing procedures, decipher test outcomes, and suggest necessary actions.

Rapid results turnaround

Time is vital in cybersecurity. Through our partnered platform, tests can be swiftly executed, and results promptly delivered, enabling immediate corrective measures.

Safeguard your organization against emerging threats by selecting Aujas Cybersecurity for in-depth, advanced, and swift testing solutions.

 

References
 
Source - A New Protocol Vulnerability Will Haunt The Web For Years -https://www.wired.com/story/http-2-rapid-reset-flaw/
Source - HTTP/2 Rapid Reset Attack Technique Observed In The Wild-https://www.radware.com/blog/applicationdelivery/2023/10/http-2-rapid-reset-attack-technique-observed-in-the-wild/
Source- New 'HTTP/2 Rapid Reset' Zero-Day Attack Breaks DDoS Records -https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
Source - HTTP/2 Rapid Reset- https://www.cloudflare.com/h2/#:~:text=HTTP%2F2%20Rapid%20Reset%20is,attack%20we%20have%20ever%20seen.