The ease of operation of CVE-2023-44487 makes it a high-priority target for cybercriminals.
In August 2023, a critical vulnerability in the HTTP/2 protocol, known as CVE-2023-44487 or Rapid Reset, was identified. This vulnerability, which can cause denial-of-service (DoS) attacks, has become a major problem for Internet services and has attracted the attention of cybercriminals. Qrator Labs shared information about the functioning of CVE-2023-44487, its impact on HTTP / 2, and suggested security strategies.
When a user visits a website that supports HTTP / 2, a single connection is used for multiple resources, which increases the efficiency of interaction. However, this possibility opens the door to exploiting vulnerabilities, since a single connection can generate many requests, increasing the load on the server. To mitigate this problem, HTTP / 2 provides a mechanism for limiting the number of active simultaneous threads, which prevents clients from overloading the server.
The Rapid Reset operation consists in sending an attacker an RST_STREAM frame immediately after sending the request. This causes the server to start processing the request, but quickly cancels it. Although the request is canceled, the HTTP/2 connection remains active, which allows the attacker to repeat the attack by creating new streams. As a result, the server spends resources processing canceled requests, which can lead to denial of service.
Cybercriminals are actively exploiting the Rapid Reset vulnerability, using it to conduct DDoS attacks. The ease of operation and potential damage have made this vulnerability a prime target for cybercriminals.
In August 2023, a critical vulnerability in the HTTP/2 protocol, known as CVE-2023-44487 or Rapid Reset, was identified. This vulnerability, which can cause denial-of-service (DoS) attacks, has become a major problem for Internet services and has attracted the attention of cybercriminals. Qrator Labs shared information about the functioning of CVE-2023-44487, its impact on HTTP / 2, and suggested security strategies.
Vulnerability Overview CVE-2023-44487
HTTP / 2 has introduced many improvements over the previous version of the protocol, including stream multiplexing, which allows you to open multiple streams over a single TCP connection. However, the Rapid Reset vulnerability exploits the thread cancellation mechanism by applying RST_STREAM frames to disrupt the server.When a user visits a website that supports HTTP / 2, a single connection is used for multiple resources, which increases the efficiency of interaction. However, this possibility opens the door to exploiting vulnerabilities, since a single connection can generate many requests, increasing the load on the server. To mitigate this problem, HTTP / 2 provides a mechanism for limiting the number of active simultaneous threads, which prevents clients from overloading the server.
The Rapid Reset operation consists in sending an attacker an RST_STREAM frame immediately after sending the request. This causes the server to start processing the request, but quickly cancels it. Although the request is canceled, the HTTP/2 connection remains active, which allows the attacker to repeat the attack by creating new streams. As a result, the server spends resources processing canceled requests, which can lead to denial of service.
Consequences of CVE-2023-44487
The Rapid Reset vulnerability caused large-scale distributed DDoS attacks. Large companies such as Google, AWS, and Cloudflare have reported waves of attacks reaching hundreds of millions of requests per second. These attacks were carried out using relatively small botnets, which highlights the severity of the vulnerability.Cybercriminals are actively exploiting the Rapid Reset vulnerability, using it to conduct DDoS attacks. The ease of operation and potential damage have made this vulnerability a prime target for cybercriminals.
Strategies to protect against the CVE-2023-44487 vulnerability
Qrator Labs recommends using the following strategies to protect against the Rapid Reset vulnerability:- Connection Tracking: Keep a close eye on connection statistics, including the number of active threads, the speed of their creation, and the frequency of cancellations. Detect illegal HTTP/2 connections and evaluate the usefulness of each one based on the request content and client behavior. Close connections that show suspicious patterns.
- Speed limit: Implement connection-and thread-level traffic management mechanisms. Detect and block suspicious patterns, such as a large number of quickly canceled threads or requests from known malicious IP addresses. Use adaptive throttling or a request queue to dynamically manage speed limits depending on the severity of the attack.
- Recommendations for Apache: Configure the MaxRequestWorkers and MaxConnectionsPerChild directives on Apache web servers according to server capacity and expected traffic. Update libnghttp2 of the mod_http2 module to version 1.57.0 or higher, which includes vulnerability fixes. Use additional security modules, such as mod_security or mod_evasive, to enhance security.
- Recommendations for Nginx: Make sure that the default keepalive limit is not increased, so as not to make the server more vulnerable. If you use non-standard configurations with high keepalive restrictions, rebuild Nginx from the latest codebase with a patch to prevent excessive resource consumption. Configure the http2_max_concurrent_streams directive to limit the number of simultaneous streams based on server capacity and expected traffic.
