Email or username:

Password:

Forgot your password?
All posts BrianKrebs's posts Post Back to profile
BrianKrebs

There's an important vulnerability being disclosed today that allows attackers to massively increase the size of DDoS attacks.

The flaw is being tracked as CVE-2023-44487, a.k.a. "HTTP/2 Rapid Reset Attack." According to Damian Menscher at Google, the attack "works by sending a request and then immediately cancelling it (a feature of HTTP/2). This lets attackers skip waiting for responses, resulting in a more efficient attack."

More info:

cloud.google.com/blog/products

aws.amazon.com/blogs/security/

aws.amazon.com/security/securi

cloudflare.com/press-releases/
10 Oct 2023 at 12:32 | Open on infosec.exchange
19 comments
mterhar
התנועה לזכויות דיגיטליות

@mterhar @briankrebs technically layer 5 if it's http2 specific? Something like that.

10 Oct 2023 at 13:57 | Open on tooot.im
Natasha Nox 🇺🇦🇵🇸

@mterhar @briankrebs Probably harder for hardware firewalls to catch though.

10 Oct 2023 at 15:22 | Open on chaos.social
Jerry Dixon

@briankrebs Damon is a sharp dude and thanks for sharing!

10 Oct 2023 at 14:44 | Open on infosec.exchange
BrianKrebs

@packet Yes, if he is calling attention to something, I'm listening :)

10 Oct 2023 at 15:00 | Open on infosec.exchange
Louis Ingenthron

@briankrebs Why would standard DDOS protection not apply here?

10 Oct 2023 at 14:46 | Open on qoto.org
BrianKrebs

@LouisIngenthron Maybe because it's abusing a feature less than a vulnerability?

10 Oct 2023 at 14:56 | Open on infosec.exchange
Louis Ingenthron

@briankrebs I thought that DDOS protection shuts down or rate-limits connection attempts after detecting a high volume, right? Does that detection just not work if they requestor also sends cancellation messages?

In other words, after the first 10 or 100 are sent and cancelled, why would the server not just reject any connection attempt from that host?

10 Oct 2023 at 15:04 | Open on qoto.org
Yuri Arabadji

@LouisIngenthron because you can't know for sure who's behind the endpoint sending stream resets. It could be a non-malicious user. The vuln is not that bad. Manageable.

10 Oct 2023 at 19:26 | Open on techhub.social
Louis Ingenthron

@cek To the best of my knowledge, everything you just said applies to traditional DDOS attacks too. You can't tell if they're malicious either, but once they go over the limit, you cut them off anyway to play defense. Why does that not apply here?

10 Oct 2023 at 19:44 | Open on qoto.org
Kevin Karhan :verified:

@briankrebs I guess the only feasible defense if blocking #HTTP2 or rate-limiting per IP adress allication block?

10 Oct 2023 at 14:48 | Open on mstdn.social
Christoph Petrausch

@kkarhan @briankrebs this would be the "Holzhammer". You need some rate limiter for created connections per client/connection in your Frontend http2 server, do you don't overload your backend with canceled requests. Or add some sort of tar-pit/cool down before proxing an incoming request to the backend. This will add latency, but you will not Proxy already canceled requests.

10 Oct 2023 at 21:47 | Open on norden.social
Kevin Karhan :verified:

@hikhvar @briankrebs Just rate-limiting the number of connections per IP should work regardless if on a WebProxy, Chaching Server or Network (Security) Appliance...

OFC those rate limits could be self-resetting/soft to quickly ban any attempted DoS attacks...

Jist like one could traffic-shape per IP Adress...

10 Oct 2023 at 21:50 | Open on mstdn.social
Christoph Petrausch

@kkarhan @briankrebs no, rate limiting connections will not help here. The request cancelation happens within the same TCP connection.

11 Oct 2023 at 1:58 | Open on norden.social
Kevin Karhan :verified:

@hikhvar @briankrebs Worst-case limiting over time, number of packets and bandwith would be an option...

This should throttle down attackers...

11 Oct 2023 at 9:54 | Open on mstdn.social
Kote Isaev

@briankrebs Here QUIC/HTTP3 connection migration comes into chat, shakes hands to Rapid Reset, and they both sing "it is not a bug, it is is a feature!"

10 Oct 2023 at 15:01 | Open on mastodon.online
Karsten Johansson

@briankrebs I used to teach in my penetration testing course that all you need to do to find your own 0-days is ... rtfm!

10 Oct 2023 at 17:29 | Open on infosec.exchange
Johan Diederik
Григорий Клюшников

I'm confused by the HTTP 1.1 diagram. What about request pipelining? Or do common web servers work such that the client is required to receive the response to their first request before the second one will be processed?

12 Oct 2023 at 10:55
Go Up