In a concerning escalation of cybersecurity threats, Amazon Web Services (AWS), Cloudflare, and Google reported significant progress in defending against unprecedented distributed denial-of-service (DDoS) attacks that utilize a new exploit known as HTTP/2 Rapid Reset. This emerging vulnerability has raised alarms due to its ability to launch large-scale attacks efficiently.

The coordinated disclosure from the tech giants details the identification of these layer 7 attacks in late August 2023. The common vulnerability, tracked as CVE-2023-44487, carries a considerable CVSS score of 7.5. Attacks leveraging this technique have been recorded peaking at astonishing rates, with Google Cloud noting a high point of 398 million requests per second (RPS), while AWS and Cloudflare experienced peaks of 155 million and 201 million RPS, respectively.

HTTP/2 Rapid Reset exploits a zero-day vulnerability in the HTTP/2 protocol, allowing adversaries to inundate server resources by rapidly sending and canceling requests. A notable characteristic of HTTP/2 is its ability to multiplex requests through a single TCP connection, enabling multiple streams to occur simultaneously. This feature becomes a weaponized tool in the hands of attackers seeking to overwhelm server capacity.

The attack leverages a technique where clients can abort requests using the RST_STREAM frame. Attackers exploit this by issuing numerous requests and canceling them in quick succession, effectively bypassing server limits on concurrent streams. AWS security experts explain that such rapid resets create an overload of activity that the targeted system struggles to manage, thereby generating considerable logs for requests that are, in turn, reset by the attacker.

This mechanism allows attackers to conduct multiple simultaneous requests indefinitely, overwhelming target websites and disrupting service. The HTTP/2 rapid reset method has been demonstrated to be highly effective with relatively small botnets, with reports indicating that as few as 20,000 machines can mount a successful attack. Grant Bourzikas, Chief Security Officer at Cloudflare, noted this vulnerability as a critical addition to an attacker’s arsenal, enabling unprecedented scales of assault.

According to W3Techs, HTTP/2 is utilized by approximately 35.6% of all websites, underscoring the potential impact of these attacks on the web ecosystem. Furthermore, recent developments indicate a proliferation of variant attack methods that, while potentially less effective than the initial technique, still exhibit increased efficiency compared to traditional HTTP/2 attack patterns.

F5 has separately acknowledged that these attacks particularly impact the NGINX HTTP/2 module, advising customers to adjust configurations to limit the number of open streams. This situation has ignited a race as organizations scramble to patch vulnerabilities while attackers proactively seek to exploit them. The urgency for businesses to fortify their defenses against both the original and emerging variants of these attacks is critical.

The tactical approach employed by attackers falls under several classifications within the MITRE ATT&CK framework, particularly in the realms of initial access and denial of service. As the cybersecurity landscape evolves in response to these threats, businesses must remain vigilant and proactive in updating security measures to safeguard their operations against the increasing sophistication of adversarial techniques.

How Companies Are Adapting

In the wake of the public disclosure of CVE-2023-44487, software providers have instigated a wave of updates designed to mitigate the new attack vector. Key players have included Akamai, Alibaba Tengine, Apache Tomcat, among others, all taking significant measures to protect their clients from these vulnerabilities.

As awareness of this threat grows, organizations must recognize that failure to respond can result in significant operational disruption. With threat actors continually adapting their strategies, maintaining the upper hand will require a dedicated effort to bolster resilience and fortify cybersecurity frameworks across industries.