Protecting Systems from the New HTTP/2 Rapid Reset Vulnerability

Protecting Systems from the New HTTP/2 Rapid Reset Vulnerability

The A10 Networks threat research team has recently investigated the HTTP/2 rapid reset vulnerability (CVE-2023-44487) identified and advised customers on the best ways to mitigate it in their network.

The HTTP/2 rapid reset vulnerability (CVE-2023-44487) leverages the characteristics of the HTTP/2 protocol. Unlike HTTP/1.1, HTTP/2 permits multiplexing and concurrency, where multiple data streams can be established much more efficiently within a single TCP connection. The vulnerability allows malicious actors to bypass server limits on data streams by issuing reset stream packets immediately after requesting a new stream. Some bot exploits are known to request many streams within a single TCP connection. Thereby, the servers may fail to clean up closed streams promptly, placing stress on the servers and then eventually disrupting services due to resource exhaustion.

Threat actors have harnessed botnets infected with malware scripts, which can initiate TCP sessions independently. They are coordinated by command-and-control servers (C2s), instructing them to initiate rapid reset attacks. In a recent incident, around 20,000 botnets participated in a DDoS attack, possibly including those monitored by the A10 threat research team.

The attack itself is a non-reflection, non-volumetric, and mostly encrypted. Therefore, it would be less visible from network-based traffic monitoring and DDoS detection systems, but it leverages a flaw in the stream multiplexing feature of HTTP/2 protocol, which makes any HTTP/2-enabled servers and proxies on the internet vulnerable and at risk from this attack.

Recommended Mitigation Strategies

Due to the nature of the vulnerability and potential DDoS attacks exploiting it, A10 – as an industry leader in the DDoS protection space – recommends the following mitigation strategies:

  1. Patch HTTP/2 servers: Any organization with HTTP/2-enabled systems should assess its exposure to this issue by referring to CVE-2023-44487 or their vendor’s advisory and take appropriate remedies, including software patches and updates, as soon as possible.
  2. Leverage HTTP/2 capable HTTP proxy or application delivery controller (ADC): Rate-limiting HTTP/2 requests alone may not completely remediate this vulnerability because it tends to affect the number of legitimate requests. In addition, without understanding the HTTP/2 request header, it will not be able to identify either legitimate requests or the attack itself. This is where the ADC (or HTTP proxy) comes in. The ADC establishes a connection from a source and handles HTTP/2 requests on behalf of the backend servers. The ADC can parse and validate the request and apply countermeasures, for example – monitoring HEADER and RST_STREM frames counters and setting the limit of frames or concurrent streams on a connection.
  3. IP blocklists: Regularly updating and maintaining IP blocklists to block traffic from known botnets is a fundamental security practice. Blocking traffic from participating HTTP/2 attackers during the attack can substantially mitigate the threat.
  4. Leverage network filters: Implementing geolocation and customizable filters to restrict incoming HTTP traffic is recommended. These filters can generally help identify and block potentially malicious traffic.
  5. Per-source rate limiting: Typical destination-based rate limiting is ineffective as it does not distinguish between legitimate and attack requests. Applying per-source rate limiting on the inline network security device, such as a firewall or DDoS protection system, can help prevent a single client from opening an excessive number of HTTP streams in case infected bots are repeatedly sending an HTTP/2 rapid reset attack. It is a better practice to apply per-source rate limiting to IPs listed on the maintained IP block list.
  6. Collaborate: It’s important to share threat intelligence with security communities, peers, and industry partners. Collaborative efforts can lead to quicker identification and mitigation of emerging threats.

How A10 Can Help

A10 Thunder? ADC supports HTTP/2 protocol VIP (or virtual server) and has built-in control frame limits that can mitigate an HTTP/2 rapid reset attack. Refer to the A10 Security Advisory for CVE-2023-44487 for more details. By identifying the attackers’ IPs on the ADC, the feedback helps build an effective IP block list that can be used as the first line of defense on the firewall or DDoS protection system, such as A10 Thunder TPS. Thunder TPS enables per-source rate limiting using the maintained IP block list and/or the IP block lists from the A10 threat intelligence service for the known botnets, dropping unwanted traffic before reaching the HTTP/2 server or ADC.

The HTTP/2 rapid reset vulnerability poses a serious threat to network security and potentially leads to disruptive DDoS attacks. As attackers increasingly exploit this vulnerability with botnets, organizations must proactively protect their network infrastructure and services. Combining Thunder ADC, Thunder TPS, IP blocklists, and support from the A10 research team will help mitigate the impact of this vulnerability. Collaboration within the security community is essential to stay ahead of emerging threats and protect against future attacks.

This blog was originally published on the A10 blog.

要查看或添加评论,请登录

A10 Networks, Inc的更多文章

社区洞察

其他会员也浏览了