In August 2023, a critical vulnerability was revealed in the HTTP/2 protocol, known as the CVE-2023-44487 or Rapid Reset. This vulnerability, capable of causing attacks of the type “Denfaling” (DOS), has become a serious problem for Internet services and attracted the attention of cybercriminals. Qrator Labs shared information about the functioning of CVE-2023- 44487, its influence on HTTP/2, and offered defense strategies.
Overview of the vulnerabilities of CVE-2023-44487
http/2 introduced many improvements compared to the previous version of the protocol, including multiplexing flows, which allows you to open several flows through one TCP connection. However, Rapid Reset vulnerability uses the mechanism of cancellation of the flow using RST_STREAM shots to disrupt the server.
When the user enters the website that supports HTTP/2, one connection is used for several resources, which increases the efficiency of interaction. However, such an opportunity opens the doors for the operation of vulnerabilities since one connection can generate many requests, increasing the load on the server. To mitigate this problem in HTTP/2, a mechanism for limiting the amount of active simultaneous flows is provided, preventing the server overload with customers.
Operation Rapid Reset is to send the frame by the attacker RST_STREAM immediately after sending the request. This makes the server start processing the request but quickly cancels it. Although the request is canceled, the HTTP/2 connection remains active, which allows the attacker to repeat the attack, creating new flows. As a result, the server spends resources on the processing of canceled queries, which can lead to a refusal of maintenance.
Rapid Reset vulnerability caused large-scale distributed DDOS types. Large companies such as Google, AWS, and Cloudflare, reported about the waves of attacks, reaching hundreds of millions of requests per second. These attacks were carried out using relatively small botnets, which emphasizes the seriousness of vulnerability.
Cybercriminals actively operate Rapid Reset vulnerability, using it for DDOS attacks. The simplicity of operation and potential damage made this vulnerability the main target for cybercriminals.