Email or username:

Password:

Forgot your password?
BrianKrebs

There's an important vulnerability being disclosed today that allows attackers to massively increase the size of DDoS attacks.

The flaw is being tracked as CVE-2023-44487, a.k.a. "HTTP/2 Rapid Reset Attack." According to Damian Menscher at Google, the attack "works by sending a request and then immediately cancelling it (a feature of HTTP/2). This lets attackers skip waiting for responses, resulting in a more efficient attack."

More info:

cloud.google.com/blog/products

aws.amazon.com/blogs/security/

aws.amazon.com/security/securi

cloudflare.com/press-releases/

19 comments
התנועה לזכויות דיגיטליות

@mterhar @briankrebs technically layer 5 if it's http2 specific? Something like that.

Natasha Nox 🇺🇦🇵🇸

@mterhar @briankrebs Probably harder for hardware firewalls to catch though.

Jerry Dixon

@briankrebs Damon is a sharp dude and thanks for sharing!

BrianKrebs

@packet Yes, if he is calling attention to something, I'm listening :)

Louis Ingenthron

@briankrebs Why would standard DDOS protection not apply here?

BrianKrebs

@LouisIngenthron Maybe because it's abusing a feature less than a vulnerability?

Louis Ingenthron

@briankrebs I thought that DDOS protection shuts down or rate-limits connection attempts after detecting a high volume, right? Does that detection just not work if they requestor also sends cancellation messages?

In other words, after the first 10 or 100 are sent and cancelled, why would the server not just reject any connection attempt from that host?

Yuri Arabadji

@LouisIngenthron because you can't know for sure who's behind the endpoint sending stream resets. It could be a non-malicious user. The vuln is not that bad. Manageable.

Louis Ingenthron

@cek To the best of my knowledge, everything you just said applies to traditional DDOS attacks too. You can't tell if they're malicious either, but once they go over the limit, you cut them off anyway to play defense. Why does that not apply here?

Kevin Karhan :verified:

@briankrebs I guess the only feasible defense if blocking #HTTP2 or rate-limiting per IP adress allication block?

Christoph Petrausch

@kkarhan @briankrebs this would be the "Holzhammer". You need some rate limiter for created connections per client/connection in your Frontend http2 server, do you don't overload your backend with canceled requests. Or add some sort of tar-pit/cool down before proxing an incoming request to the backend. This will add latency, but you will not Proxy already canceled requests.

Kevin Karhan :verified:

@hikhvar @briankrebs Just rate-limiting the number of connections per IP should work regardless if on a WebProxy, Chaching Server or Network (Security) Appliance...

OFC those rate limits could be self-resetting/soft to quickly ban any attempted DoS attacks...

Jist like one could traffic-shape per IP Adress...

Christoph Petrausch

@kkarhan @briankrebs no, rate limiting connections will not help here. The request cancelation happens within the same TCP connection.

Kevin Karhan :verified:

@hikhvar @briankrebs Worst-case limiting over time, number of packets and bandwith would be an option...

This should throttle down attackers...

Kote Isaev

@briankrebs Here QUIC/HTTP3 connection migration comes into chat, shakes hands to Rapid Reset, and they both sing "it is not a bug, it is is a feature!"

Karsten Johansson

@briankrebs I used to teach in my penetration testing course that all you need to do to find your own 0-days is ... rtfm!

Григорий Клюшников

I'm confused by the HTTP 1.1 diagram. What about request pipelining? Or do common web servers work such that the client is required to receive the response to their first request before the second one will be processed?

Go Up