All the leading OEMs are actively tracking the novel distributed denial-of-service attacks that were disclosed earlier this week. The techniques described resulted in a record-breaking DDoS attack and could facilitate much larger attacks in the future.
CVE-2023-44487, a vulnerability resides in the HTTP/2 protocol, was recently used to launch intensive DDoS attacks against several targets.
The layer 7 attacks were detected in late August 2023. The cumulative susceptibility to this attack is being tracked as CVE-2023-44487 and carries a CVSS score of 7.5.
The attacks aimed at Google’s cloud infra peaked at 398 million requests per second (RPS), the ones that struck AWS at 155 million RPS and Cloudflare exceeded a volume of 201 million RPS.
The heart of the issue lies in the way that HTTP/2 protocol handles request cancellations or resets. When a client issues a reset for an HTTP/2 request, this consumes resources on the server as it cancels the corresponding stream. Once after issuing a reset, the client can instantly open a new stream. The rapid opening and canceling of the HTTP/2 streams is what causes the denial of service. Because HTTP/2 has been integrated into a variety of different web platforms, it is likely that this vulnerability will have a widespread impact.
HTTP/2 made improvements over previous versions of the HTTP protocol, including changing the ways HTTP requests were handled. Earlier versions of HTTP rely on request response serialization, in which a client sends a request to a server and then receives a response from that server over the same TCP connection. HTTP/2 formats requests and responses into HTTP/2 frames. Each frame has its own stream ID, used to identify which requests and responses correspond with each other. This allows for multiplexing and concurrent requests. This design is much more in line with the way web traffic occurs today, typically requiring large amounts of asynchronous requests for various types of data as web pages load.
This new mechanism is where the DoS vulnerability lies. Attackers have discovered that by creating large amounts of requests and resets in a short period of time, they can consume valuable resources on HTTP/2 servers, resulting in a denial of service. The challenge is that when viewing certain types of web pages, large amounts of these requests are expected. This can also include some resets if the user is quickly scrolling through a page to speed up the rendering of the images ahead, for example. The other compounding factor is that there is a hard limit to the amount of concurrent connections HTTP/2 servers can support.
According to RFC 9113, it is recommended that the SETTINGS_MAX_CONCURRENT_STREAMS for an HTTP/2 server be no smaller than 100, “so as to not unnecessarily limit parallelism.” If an attacker with a large number of systems under their control can fill up these connection pools with open or half-open HTTP/2 connections, the HTTP/2 server can be overwhelmed.
This is exactly what has been occurring at Cloudflare and other large providers. Beginning in late August, these networks started seeing large-scale DDoS attacks leveraging this novel technique, eventually peaking at more than 200 million requests a second, accomplished with a botnet of only 20,000 systems. If this type of attack was launched with a much larger botnet, the traffic volume could be orders of magnitude greater and have a much larger potential impact. As such, organizations are urged to patch or mitigate as quickly as possible
HTTP /2 Adoption
Despite its advantages, HTTP/2 has not seen universal adoption. Several factors contribute to this:
- Compatibility Issues: Older systems and browsers may not support HTTP/2, making it less appealing for websites that cater to a broad audience.
- Lack of Awareness: Many website owners are not fully aware of the benefits that HTTP/2 can bring, leading to slower adoption rates.
- Server Updates: Transitioning to HTTP/2 often requires updates to web servers, which some organizations may find cumbersome or risky.
One way to mitigate the vulnerabilities in HTTP/2 is to disable it on your web server. Microsoft provides a guide on how to do this using the Registry Editor. However, it’s crucial to exercise caution when using the Registry Editor, as incorrect usage can lead to severe system issues.
Here’s a step-by-step guide based on Microsoft’s recommendations:
- Open Registry Editor: Click Start, click Run, type
Regeditin the Open box, and click OK.
- Locate Subkey: Navigate to
- Edit DWORD Values: Set DWORD type values
EnableHttp2Cleartextto 0 to disable HTTP/2 or 1 to enable it.
- Restart: Exit the Registry Editor and restart your computer.
For more details, you can refer to Microsoft’s update guide on CVE-2023-44487.
Disabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:
- keepalive_requests should be kept at the default setting of 1000 requests
- http2_max_concurrent_streams should be kept at the default setting of 128 streams
The Cybersecurity and Infrastructure Security Agency (CISA) has also advised on this vulnerability. For more details, you can refer to CISA’s advisory on CVE-2023-44487