Protecting Systems from the New HTTP/2 Rapid Reset Vulnerability
The A10 Networks threat research team has investigated the HTTP/2 rapid reset vulnerability (CVE-2023-44487), which has been identified in recent days and has advised customers on the best ways to mitigate it in their network.
The HTTP/2 rapid reset vulnerability (CVE-2023-44487) leverages the characteristics of the HTTP/2 protocol. Unlike HTTP/1.1, HTTP/2 permits multiplexing and concurrency, where multiple data streams can be established much more efficiently within a single TCP connection. The vulnerability allows malicious actors to bypass server limits on data streams by issuing reset stream packets immediately after requesting a new stream. Some bot exploits are known to request a large number of streams within a single TCP connection. Thereby, the servers may fail to clean up closed streams promptly, placing stress on the servers, then eventually disrupting services due to resource exhaustion.
Threat actors have harnessed botnets infected with malware scripts, which can initiate TCP sessions independently. They are coordinated by command-and-control servers (C2s), instructing them to initiate rapid reset attacks. In a recent incident, around 20,000 botnets participated in a DDoS attack, possibly including those monitored by A10 threat research team.
The attack itself is a non-reflection, non-volumetric and mostly encrypted. Therefore, it would be less visible from network-based traffic monitoring and DDoS detection systems, but it leverages a flaw in the stream multiplexing feature of HTTP/2 protocol, which makes any HTTP/2-enabled servers and proxies on the internet vulnerable and at risk from this attack.
Recommended Mitigation Strategies
Due to the nature of the vulnerability and potential DDoS attacks exploiting it, A10 – as an industry leader in the DDoS protection space – recommends the following mitigation strategies:
- Patch HTTP/2 servers:
Any organization who has HTTP/2-enabled systems should assess its exposure to this issue by referring to CVE-2023-44487 or their vendor’s advisory, and take appropriate remedies including software patches and updates as soon as possible. - Leverage HTTP/2 capable HTTP proxy or application delivery controller (ADC):
Rate limiting HTTP/2 requests alone may not completely remediate this vulnerability because it tends to affect the number of legitimate requests. In addition, without understanding the HTTP/2 request header, it will not be able to identify either legitimate requests or the attack itself. This is where the ADC (or HTTP proxy) comes in. The ADC establishes a connection from a source and handles HTTP/2 request on behalf of the backend servers. The ADC can parse and validate the request and apply countermeasures, for example – monitoring HEADER and RST_STREM frames counters and setting the limit of frames or concurrent streams on a connection. - IP blocklists:
Regularly updating and maintaining IP blocklists to block traffic from known botnets is a fundamental security practice. Blocking traffic from participating HTTP/2 attackers during the attack can substantially mitigate the threat. - Leverage network filters:
It’s recommended to implement geolocation and customizable filters to restrict incoming HTTP traffic. These filters can generally help identify and block potentially malicious traffic. - Per-source rate limiting:
Typical destination-based rate limiting is not effective as it will not distinguish between legitimate and attack requests. Applying per-source rate limiting on the inline network security device such as a firewall or DDoS protection system can help prevent a single client from opening an excessive number of HTTP streams in case infected bots are repeatedly sending an HTTP/2 rapid reset attack. It is a better practice to apply per-source rate limiting to IPs listed on the maintained IP block list. - Collaborate:
It’s important to share threat intelligence with security communities, peers, and industry partners. Collaborative efforts can lead to quicker identification and mitigation of emerging threats.
How A10 Can Help
A10 Thunder® ADC supports HTTP/2 protocol VIP (or virtual server) and has built-in control frame limits that can mitigate a HTTP/2 rapid reset attack. Refer to the A10 Security Advisory for CVE-2023-44487 for more details. By identifying the attackers’ IPs on the ADC, the feedback helps build an effective IP block list that can be used as the first line of defense on the firewall or DDoS protection system such as A10 Thunder TPS. Thunder TPS enables per-source rate limiting using the maintained IP block list and/or the IP block lists from the A10 threat intelligence service for the known botnets, dropping unwanted traffic before reaching the HTTP/2 server or ADC.
The HTTP/2 rapid reset vulnerability poses a serious threat to network security, and potentially leading to disruptive DDoS attacks. As attackers increasingly exploit this vulnerability with botnets, organizations must take proactive measures to protect their network infrastructure and services. Combining Thunder ADC, Thunder TPS, IP blocklists, and support from A10 research team will help in mitigating the impact of this vulnerability. Collaboration within the security community is essential to stay ahead of emerging threats and protect against future attacks.
Seeing is believing.
Schedule a live demo today.