Rapid Reset: A New DDoS Attack Technique Targeting HTTP/2 Servers
BY: Jaden Henry | 10/11/23
DDoS (Distributed Denial of Service) attacks are one of the most common and dangerous threats to web servers and applications. They aim to overwhelm the target with a large amount of traffic or requests, causing it to slow down or crash. Recently, a new DDoS attack technique has been discovered that targets HTTP/2 servers, which are widely used by modern web applications. This technique is called Rapid Reset, and it exploits a vulnerability in the HTTP/2 protocol that allows an attacker to send multiple reset streams to the server, forcing it to close the connection and consume CPU resources. In this blog post, we will explain what Rapid Reset is, how it works, and how it affects Azure App Services. We will also provide some recommendations on how to protect your Azure App Services from Rapid Reset and other DDoS attacks.
What is Rapid Reset and How Does It Work?
Rapid Reset is a DDoS attack technique that leverages a vulnerability in the HTTP/2 protocol, which is the latest version of the Hypertext Transfer Protocol (HTTP) that is used to communicate between web browsers and servers. HTTP/2 is designed to improve the performance, efficiency, and security of web applications by introducing features such as multiplexing and compression, as well as requiring encryption.
However, HTTP/2 also has a flaw that allows an attacker to send multiple reset streams to the server, which are messages that indicate that the stream should be terminated. The server has to process each reset stream and close the corresponding connection, which consumes CPU resources and reduces the availability of the server. Moreover, the attacker can send these reset streams at a high rate, generating a high volume of traffic that can overwhelm the server's network bandwidth.
The vulnerability that enables Rapid Reset is known as CVE-2023-44487, and it affects several implementations of HTTP/2 servers, such as Apache, Nginx, and Microsoft IIS. The vulnerability was disclosed in October 2023 by researchers from the University of California, Berkeley, who also published a proof-of-concept code that demonstrates how to perform Rapid Reset attacks.
According to the researchers, Rapid Reset attacks can cause significant impact and severity on HTTP/2 servers. For example, they reported that a single attacker can generate up to 15 Gbps of traffic and consume up to 100% of CPU utilization on a 16-core server running Apache HTTP/2. They also provided some examples of real-world websites that have been affected by Rapid Reset attacks, such as CNN.com, Amazon.com, and Wikipedia.org.
How Does Rapid Reset Affect Azure App Services?
SilverTech hosts client websites in Azure using Azure App Services. Azure App Services are a collection of PaaS (Platform-as-a-Service) services for building and hosting web applications and APIs on Azure. App Services use HTTP/2 protocol by default for secure connections (HTTPS), which means that they are vulnerable to Rapid Reset attacks.
Some of the Azure App Services that have been affected by Rapid Reset attacks include:
- Azure Web Apps: A service that allows you to create and deploy web applications using various languages and frameworks, such as .NET, Java, Python, Node.js, PHP, Ruby, etc.
- Azure Functions: A service that allows you to run serverless code in response to events or triggers, such as HTTP requests, timers, queues, etc.
- Azure API Management: A service that allows you to create and manage APIs for your web applications and services, providing features such as authentication, authorization, caching, throttling, monitoring, etc.
Microsoft has been aware of the Rapid Reset vulnerability since it was disclosed in October 2023, and has been working on applying security updates and mitigations to Azure App Services. According to Microsoft's official announcement on October 10th, 2023:
- All Azure App Services running on Windows have been patched with the latest version of IIS that fixes the CVE-2023-44487 vulnerability.
- All Azure App Services running on Linux have been patched with the latest version of Nginx that fixes the CVE-2023-44487 vulnerability.
- All Azure App Services have been configured with a limit on the number of reset streams that can be received per connection per second. This limit prevents an attacker from sending too many reset streams in a short period of time and exhausting the server's CPU resources.
How to Protect Your Azure App Services from Rapid Reset and Other DDoS Attacks?
While Microsoft has taken steps to secure Azure App Services from Rapid Reset attacks, there are still some best practices and tips that you can follow to further protect your web applications and APIs from DDoS attacks. Here are some of them:
- Monitor your web traffic and performance. You should regularly check your web traffic and performance metrics, such as requests per second, response time, error rate, CPU utilization, etc. This can help you identify any anomalies or spikes that may indicate a DDoS attack. You can use tools and services such as Azure Monitor, Azure Application Insights, and Azure Log Analytics to automatically collect and analyze your web metrics and proactively alert when anomalies are registered.
- Detect and mitigate DDoS attacks. You should have a plan and a process to detect and mitigate DDoS attacks as soon as possible. You can use tools and services such as Azure Web Application Firewall (WAF), Azure DDoS Protection, and Azure Sentinel to help you with this task. Azure WAF provides protection against web attacks at the application layer, such as SQL injection and cross-site scripting. Azure DDoS Protection is a service that protects against DDoS attacks at the network layer. Lastly, Azure Sentinel provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities, allowing you to collect, analyze, and respond to security incidents.
How Does Rapid Reset Affect AWS EC2 instances?
AWS EC2 stands for Amazon Web Services Elastic Compute Cloud, and it is a service that allows you to launch and manage virtual servers in the cloud. EC2 is one of the most popular services in AWS, and it is the foundation of many cloud applications. As such, EC2 instances are often HTTP/2 web servers that are also vulnerable to Rapid Reset.
How can you protect your AWS EC2 instances from Rapid Reset and other DDoS attacks?
AWS has implemented various mitigations to protect its infrastructure and customers from this attack, but it also recommends customers who operate their own HTTP/2 web servers to install the latest patches. SilverTech has applied these security patches for its customers whose websites are hosted in AWS. In addition to ensuring HTTP/2 web servers have been patched, it is recommended that AWS EC2 customers follow the best practices below:
- Use AWS WAF, a web application firewall that lets you create rules to block malicious requests and prevent application layer attacks.
- Configure security groups and network ACLs to limit the inbound traffic to your instances and only allow the ports and protocols that you need.
- Monitor your instances for unusual spikes in CPU usage or network traffic using Amazon CloudWatch or other tools.
- Implement a backup and recovery strategy to ensure that you can restore your data and applications in case of an outage.
To learn more, you can visit the following links:
- Azure App Service Security Overview: https://learn.microsoft.com/en-us/azure/app-service/overview-security
- HTTP/2 Protocol Overview: https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis
- Rapid Reset Vulnerability Disclosure: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487
- How AWS protects customers from DDoS events: https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/