Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: New DDoS technique Rapid Reset Attack uses actively exploited zero-day in HTTP/2 - CVE-2023-44487
Image
Published : 11/10/2023
Reference:
Advisory #2023-122
Version:
2.0
Affected software:
HTTP/2
Type:
Denial of Service
CVE/CVSS:
CVE-2023-44487
7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
Risks
Risk: A new DDoS technique named 'HTTP/2 Rapid Reset' has been actively exploited as a zero-day vulnerability since August, breaking all previous DDoS records. It exploits a zero-day vulnerability tracked as CVE-2023-44487, abusing a weakness in the HTTP/2 protocol.
Threat Actors: Threat actors, including those with relatively small botnets, have already abused this technique. As more expansive botnets adopt this method, it is expected to continue breaking records.
Historical Events: Since late August, Cloudflare, Google and Amazon Web Services have detected and mitigated thousands of 'HTTP/2 Rapid Reset' DDoS attacks, several of which breaking previous DDoS records.
Technology Targeted: This vulnerability targets the HTTP/2 protocol, commonly used in web servers and browsers.
Interest to Actors: Threat actors can overwhelm target servers/applications, imposing a Denial of Service (DoS) state, making it appealing for those with malicious intent.
Impact on CIA Triad: There is a high impact on availability.
Description
A new DDoS technique called 'HTTP/2 Rapid Reset' is currently being exploited as a zero-day vulnerability. This method abuses a zero-day vulnerability, CVE-2023-44487, which targets a weakness in the HTTP/2 protocol. In simple terms, it overwhelms target servers or applications by exploiting HTTP/2's stream cancellation feature. This feature, can be abused by malicious actors to send a barrage of HTTP/2 requests and resets, causing rapid resets and overwhelming the server's capacity to respond to new incoming requests.
Several major tech companies, including Amazon Web Services, Cloudflare, and Google, have reported mitigating record-breaking DDoS attacks using this technique.
Recommended Actions
The Centre for Cyber Security Belgium strongly recommends to take the following actions:
- Implement DDoS protection: Organisations should employ multifaceted DDoS protection methods to mitigate the risk of 'HTTP/2 Rapid Reset' attacks.
- Keep Software Updated: Ensure that all software utilizing the HTTP/2 protocol is up to date. Developers should implement rate controls to mitigate HTTP/2 Rapid Reset attacks effectively.
- Stay Informed: Monitor for security advisories and updates related to this vulnerability. Ensure that your security teams are informed and ready to respond to any potential threats.
- Incident Response Plan: Develop and regularly update an incident response plan that includes specific actions for mitigating DDoS attacks. Ensure that your organisation's response plan is tested and ready for implementation. Also look at "How To Protect Your Organisation Against a DDoS Attack":
Possible workaround
- Disable the HTTP/2 protocol
Vendor advisories and statements
- Apache Tomcat - Fixed in 8.5.94
- AWS
- F5
- Microsoft IIS
- Microsoft MsQuic - Fixed in 2.2.3
- Nginx
- nghttp2 library - Fixed in 1.57.0
- Cisco
References
- https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088
- https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- https://www.bleepingcomputer.com/news/security/new-http-2-rapid-reset-zero-day-attack-breaks-ddos-records/
- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/