Zero-day vulnerability in HTTP/2 protocol: How to protect yourself effectively

  • Lisa Fröhlich
  • November 9, 2023

Table of content

    Zero-day vulnerability in HTTP/2 protocol: How to protect yourself effectively

    Zero-day vulnerabilities are vulnerabilities in software, operating systems, or protocols that have not yet been identified or fixed by the developers or vendors. The term “zero-day” refers to the fact that developers have no chance to patch the issue before it’s discovered, as the exploitation is typically the first notification they have.

    These exploits are particularly dangerous because attackers can have a lot of time to use them before the issue is discovered or a patch developed. Zero-day vulnerabilities are therefore highly sought-after and can be used in several types of attacks. It is not for nothing that there are so-called bug bounty programs, which pay up to $2,500,000 in rewards for finding and reporting these issues.

    A recently discovered and publicly reported vulnerability is the HTTP/2-based distributed denial of service (DDoS) attacks that use a technique known as rapid reset.

    What is the zero-day vulnerability in the HTTP/2 protocol and how is it exploited?

    The attack, dubbed “Rapid Reset” (CVE-2023-44487) , was actively exploited from August 2023 to October 2023 and was recently disclosed by researchers and vendors (Google, Amazon and Cloudflare). This attack exploits a vulnerability in the HTTP/2 protocol by quickly terminating HTTP/2 streams using RST_STREAM frames.

    What exactly is it all about?

    With HTTP/1, each request is followed by a separate response from the server. Closing the connection is therefore the only method of aborting a request. The client had no other way of informing the server of its wish to terminate.

    However, with the HTTP/2 protocol, there is a more efficient method. HTTP/2 is fully multiplexed, so multiple files and requests can be transferred simultaneously, unlike with HTTP1. HTTP/2 uses the same connection to transfer different files and requests (Keepalive), avoiding the hassle of opening a new connection for each file that needs to be transferred between a client and a server.

    If the client wants to abort the request, it can send a so-called RST_STREAM. Although HTTP1.1 can also keepalive and thus transfer multiple files over one connection, it can’t do so simultaneously.

    As soon as the server receives this RST_STREAM, it stops the corresponding stream. However, the connection remains active and can be used for other requests. Requests and responses running at the same time as the stopped request are not affected.

    In a HTTP/2 Rapid Reset attack, this process is automated in a pattern where requests are sent and aborted in rapid succession. Often, there is no server-side limit on the maximum number of concurrently active streams per connection. The result is a DDoS attack that can overload servers and applications that use the standard HTTP/2 protocol.

    What was the impact of the vulnerability?

    The impact of this vulnerability was significant and led to record-breaking DDoS attacks in late summer 2023. The “rapid reset” technique allows attackers to overload servers without reaching the configured threshold, generating millions of requests per second.

    One of these effects was felt by Google in August 2023, when it successfully fended off the largest DDoS attack of all time. This attack reached an impressive rate of 398 million requests per second, which is seven times larger than the previous record holder from 2022.

    Google itself made a comparison to illustrate the scale of this attack: During the attack, more queries per second were made on Google Cloud in just two minutes than on the online encyclopedia Wikipedia in the entire month of September 2023.

    Why is the vulnerability in HTTP/2 protocol dangerous?

    The vulnerability in the HTTP/2 protocol is particularly dangerous because it allows attackers to conduct DDoS attacks with a comparatively small botnet infrastructure. Even smaller botnets can generate enormous amounts of requests that can overload almost any server or application that supports HTTP/2.

    This is because incoming streams are reset faster than new streams arrive. This allows the attacker to overload the server without ever reaching its configured limit. For networks without proper protection measures, this poses a significant threat.

    In addition to these obvious dangers, other risks lurk. Companies are often faced with the challenge of patching and updating their systems as quickly as possible. With every new vulnerability that is discovered, the pressure on in-house IT security teams increases. The German Federal Office for Information Security (BSI) reported more than 1,100 critical vulnerabilities in the first quarter of 2023 alone (German source).

    What steps can companies take to protect themselves from such attacks?

    With so many potential vulnerabilities, it is difficult for companies to protect themselves. This is especially true for zero-day attacks, as it is impossible to develop a patch for an unknown vulnerability.

    In addition to good emergency preparedness, ongoing employee awareness, and regular review of security measures, organizations should use a combination of proactive measures and security best practices to protect against zero-day DDoS attacks:

    • Implement powerful monitoring systems to detect suspicious traffic early. This enables the identification of deviations in data traffic patterns that indicate possible attacks.
    • Deploy DDoS protection solutions that can filter traffic and separate malicious traffic from legitimate traffic. These systems can fend off attacks by blocking the malicious traffic.
    • A Content Delivery Network (CDN) can help distribute traffic and minimize the impact of DDoS attacks. Load balancing works in a similar way. This method provides geographic redundancy to distribute traffic across multiple servers or data centers. Both minimize the impact of an attack and ensure service availability.
    • Keep your systems, software, and security solutions up to date with regular updates and patches to address potential vulnerabilities.

    Link11 helps you optimize your protection

    Link11’s Secure CDN solution and Web DDoS Protection provides you with comprehensive protection against a HTTP/2 Rapid Reset attack. The underlying technology is, by default, limited to a certain number of concurrent HTTP/2 streams and keepalive connections. This limitation protects against the DDoS vulnerabilities because it prevents the excessive number of RST_STREAM frames required for the attack. The default settings for keepalive connections ensure that excessive resources are not consumed when streams are reset.

    Link11 DDoS Protection detects malicious activity and traffic and can immediately block the corresponding attackers. Even if the origin server does not respond, the CDN continues distributing your content.

    Overall, the configuration used and the integration of DDoS protection ensure that the CDN product is robust against DDoS vulnerabilities and that performance and service availability are maintained. Even if the origin server does not respond, the CDN will still be able to distribute your content.

    In addition, the CDN can be easily combined with other Link11 security solutions such as the Layer 7 DDoS protection, Zero Touch WAF or Bot Management. Doing so means you get comprehensive protection at all levels.

    If you want state-of-the-art security measures, automated protection and to know more about our products,get in touch with our security experts now to discuss your needs.

    Contact us now >>


    New DDoS Amplification Vector WS Discovery Protocol
    Link11 Insights Report on German DDoS Attacker ZZb00t released