CVE-2023-44487: New HTTP/2 "Rapid Reset" Sets DDoS Record
Revealed in a coordinated disclosure involving Amazon Web Services (AWS), Cloudflare, and Google was the exploitation of the HTTP/2-based protocol, leading to a Distributed Denial-of-Service (DDoS) attack. These events now recognized as an "HTTP/2 rapid reset" attack, were observed in late August 2023, and continued into the month of September. They were notably more severe than any previously reported Layer 7 DDoS attacks, with the largest recorded attack reaching 398 million requests per second (rps) against Google. AWS reported a peak of 155 million rps, while Cloudflare encountered 205 million rps. This zero-day HTTP/2 Rapid Reset vulnerability is now tracked as CVE-2023-44487 and carries a CVSS score of 7.5 out of 10.
The attack, as explained in AWS's report and echoed by Cloudflare and Google, lies in the fundamental change introduced by HTTP/2, allowing "multiple distinct logical connections to be multiplexed over a single HTTP session. This is a change from HTTP 1.x, in which each HTTP session was logically distinct. HTTP/2 rapid reset attacks consist of multiple HTTP/2 connections with requests and resets in rapid succession." This enables bad actors to exploit this multiplexing capability by opening multiple concurrent streams on a single TCP connection and then immediately canceling requests by sending an RST_STREAM frame.
The RST_STREAM frame in the context of HTTP/2 is a critical control frame that serves the purpose of abruptly ending a specific stream within an ongoing HTTP/2 session. When this frame is sent, it indicates that a particular stream, which represents an individual HTTP request-response exchange, should be immediately terminated. This termination can happen unilaterally, meaning it doesn't require coordination between the client and server. "By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams," Google explains. This results in a targeted system that is overwhelmed with intense resource-intensive processing without any legitimate data exchange. Industry-wide coordination and vulnerability disclosure was instrumental in addressing this emerging threat, as exemplified in the coordinated disclosure between AWS, Cloudflare, and Google.