Overview :

HTTP/2 utilizes the "Stream multiplexing" feature, unlike HTTP/1.1, allowing multiple streams to be opened and closed within a single TCP connection. We have compiled an analysis of CVE-2023-44487, a denial of service (DoS) vulnerability recently discovered in this protocol.

Attack Type :

CVE-2023-44487 targets all web services supporting the HTTP/2 protocol, primarily focusing on servers or cloud services acting as load balancers or proxies. It involves sending a large number of RST_STREAM requests to induce excessive processing on the server, leading to a denial of service attack.

Fundamentally, in HTTP/2, upon receiving a stream cancellation request like RST_STREAM, the server first reads the HEADER information to transition the stream to a half-close state, and then closes it upon reading RST_STREAM.

Source: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/

However, clients can continue sending RST_STREAM requests without restrictions and without waiting for response data, while servers, upon cancellation requests, need to allocate new stream data structures, perform query parsing, decompress headers, map URLs to resources, and undertake significant processing. This leads to an asymmetry between server and client behaviors.

Source: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack?hl=en

Ultimately, due to the greater workload on servers compared to clients, delays occur, resulting in a DoS attack.

Since this attack occurs within a single TCP request, even DDoS mitigation services like CloudFlare are unable to fully mitigate it, highlighting the heightened risk posed by this vulnerability.

Moreover, variations of the attack include methods such as canceling multiple streams simultaneously or opening more concurrent streams than the server limit.

Response Measures :

Upon detecting exploitation of this vulnerability, post-incident measures may involve blocking the IP where the phenomenon occurred or blocking the entire TCP connection. Precautionary measures include enforcing limits on the number of simultaneous streams allowed for connections.

Additionally, services and libraries vulnerable to this issue should be updated to their latest versions.

In our AIWAF and AISWG products, we have updated the relevant nghttp2 library and developed functionality to limit the number of RST_STREAMs in HTTP/2 sessions, which is available from AIWAF v5.0.2_2 build 4126 onwards.

Conclusion :

CVE-2023-44487 is a vulnerability stemming from structural issues in the HTTP/2 protocol, potentially exploited in any service supporting HTTP/2. Awareness and response to this vulnerability are crucial.

In our AIWAF and AISWG products, we update the relevant services and libraries and establish response measures against DoS attacks leveraging this vulnerability.