Report an IncidentTalk to Sales
Blog

CVE-2023-44487 HTTP/2 Rapid Reset Attack – Simulation and Mitigation Step by Step.

November 1, 2023 | by Siddhartha Shree Kaushik

Vulnerability Scanner

The repository bcdannyboy/CVE-2023-44487 has a code that scans for vulnerabilities in specific URLs. These URLs are related to the HTTP/2 RST_STREAM frame.

The HTTP/2 RST_STREAM frame is used to end streams in the HTTP/2 protocol. To start the assessment, the script identifies both internal and external IP addresses of the machine running it. It then checks if the target URL supports HTTP/2.

URLs without HTTP/2 support are deemed 'SAFE'. To test the vulnerability, the RST_STREAM frame is Sent to see how the server responds. The server response categorizes the URL as 'VULNERABLE', 'POSSIBLE', 'LIKELY', or 'ERROR'.

For demonstration purposes, we have installed the nginx 1.10.3 web server in a VM and enabled the HTTP/2 in its configuration files at /usr/loca/nginx/conf/nginx.conf file. The IP of the webserver is 10.10.10.9

Steps for installing vulnerable HTTP/2 webserver.

  1. Download nginx 1.10.3
  2. Extract it
    - tar -xvzf nginx-1.10.3.tar.gz
  3. cd nginx-1.10.3 , then install the essential dependencies - sudo apt-get install buildessential
    libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev
  4. Configure, compile and Install via -
    ./configure --with-http_ssl_module --with-http_v2_module
    make
    sudo make install
  5. Create a self-signed SSL certificate
    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout
    /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
  6. Edit the nginx configuration file-
    sudo vim /usr/local/nginx/conf/nginx.conf
  7. Modify this specific segment where HTTPS server settings lie-
    server {
    listen 443 ssl http2;
    server_name your_domain_or_ip; #10.10.10.9
    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    location / {
    root html; # this is relative to /usr/local/nginx/
    index index.html;
    }
    }
  8. Start the nginx server with the modified nginx.conf file - sudo
    /usr/local/nginx/sbin/nginx

    or if you're modifying it for further tests, then a reload would suffice as -

    sudo /usr/local/nginx/sbin/nginx -s reload

Troubleshooting

If you have problems setting up the server, here are common issues and steps to fix them.

  • To ensure that HTTP/2 support is enabled and available in the nginx build, run this command -
    /usr/local/nginx/sbin/nginx -V 2>&1 | grep --color -o http_v2_module sudo
  • /usr/local/nginx/sbin/nginx -t to find the nginx.conf 's location if it's installed in a non-default way.
  • Check your VM's IP via ip a and if you wish to point the IP at test.local then ensure that it's specified in the /etc/hosts file respectively.

If port 80 is occupied, then identify the service and allocate it some other port for usage or customize the nginx.conf file's listen 1337; line to assign it a different port. However, a HTTP/1.1 server and a HTTP/2 server would be up and running at port 80 and 443 respectively.

Navigate to https://IP rather than http://IP . You might need to bypass the warning for the first time by accepting the risk and proceeding to browse the website.

Checking it against the exploit POCs vulnerability scanner script, we get the state - POSSIBLE which implies that although it failed to send the RST_STREAM it's possible to perform Rapid Reset on the target. To see it in action, you can test the exploit POC at imabee101/CVE-2023-44487. The attack needs many threads and sockets open in parallel, using up a lot of resources. However, you can adjust it to enhance its usefulness.

Rapid Reset Attack Mitigation Strategy by Infrastructure providers

Utilizing Cloudflare’s CDN, DDoS protection and Reverse Proxy services should mitigate the vulnerability on the server's end. Similarly, web servers and Cloud Service providers have combatted this exploit in their own ways as listed below -

NGINX

NGINX combats flood attacks by imposing a limit on the number of new streams that can be created in one event loop. The limit is double the value set in the http2_max_concurrent_streams directive. This safeguard is in place even if streams are quickly reset post-request, as seen in the described attack.

GCP

GCP suggests that merely blocking requests isn't effective against these attacks. Instead, the entire TCP connection should be terminated upon detecting misuse.

While HTTP/2 supports connection closing via the GOAWAY frame, the standard method is not resistant to malicious clients. To mitigate this, the GOAWAY frame should immediately limit stream creation. Determining abusive connections is crucial; while cancelling requests can be genuine, consistent patterns of cancellations may indicate abuse.

Effective strategies involve monitoring connection statistics. For example, a connection with over 100 requests where more than 50% are cancelled might warrant a response, ranging from forceful GOAWAY frames to instant TCP connection closure. For attacks not involving cancellations, servers should close connections surpassing the stream limit, either instantly or after a few violations.

Cloudflare

To prevent misuse of RST_STREAM frames, Cloudflare now monitors them and terminates connections to ensure legitimate use is not affected. They improved the server's HTTP/2 processing and request dispatch along with the efficiency and responsiveness of the business logic server's queuing and scheduling to cancellations. These changes minimize potential abuse and give the server more processing capability.

Cloudflare's "IP Jail" system was made to stop big attacks by finding and blocking attacking IPs from reaching the targeted property. Given the new botnet's instant attack capability, Cloudflare expanded the IP Jail's scope.

When an IP is "jailed", it cannot access the targeted site. It is also temporarily unable to use HTTP/2 on any Cloudflare domain. As HTTP/1.x doesn't allow these protocol abuses, this hampers the attacker's capacity while causing minimal disruptions to genuine clients sharing that IP.

However, using IP-based mitigations requires caution because of their broad impact and potential for false positives. Furthermore, IPs within botnets change frequently, so long-term blocking might be counterproductive.

Other vendors like AWS and Azure have also created ways to fix this vulnerability. Depending on the technology stack being used, you can search for your vendor's solutions.

Conclusion:

In response to the CVE-2023-44487 HTTP/2 Rapid Reset attack, we suggest organisations to prioritize urgent security updates for systems ensuring cyber resilience against these disruptive cyber threats. We are committed to keep you updated with such vulnerabilities and methods to mitigate them. Eventus is a top-notch Managed Security Service Provider with a plethora of cyber security solutions powered by 24/7 dedicated team of Cyber Experts. Book your free cyber security consultation call today!

Siddhartha Shree Kaushik
Siddhartha Shree Kaushik is a Senior Cyber Security Expert at Eventus with extensive technical expertise across a spectrum of domains including penetration testing, red teaming, digital forensics, defensible security architecture, and Red-Blue team exercises within modern enterprise infrastructure.
Report an Incident
Report an Incident - Blog
Ask Experts
Our team of expert is available 24x7 to help any organization experiencing an active breach.

More Topic

crossmenuchevron-down
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram