Hammering The Internet: Meet HTTP/2 Rapid Reset

Just when you think you have solved one problem, another one comes along. For this, we have generally been moving away from the stateless…
Figure [here]

Hammering The Internet: Meet HTTP/2 Rapid Reset

Just when you think you have solved one problem, another one comes along. For this, we have generally been moving away from the stateless HTTP protocol towards something that allows for a fast connection with reduced latency. Thus, HTTP/2 was created to support this. But, this speed makes it vulnerable to DDoS (Distributed Denial of Service) attacks, and with a new “HTTP/2 Rapid Reset” attack.

This attack was detected by Cloudflare, AWS and Google, and resulted in the highest ever request rate ever seen: 201 million requests per second (beating the previous record of 71 million requests per second). Luckily, providers such as Cloudflare already have defence in place against this attack, and which has been known about since the end of August 2023.

Given that the entire web typically sees only between 1–3 billion requests per second, this attack could account for around 1% of the total Internet traffic — and thus has a significant footprint on traffic — while crashing servers which it targets.

The attack normally involves the usage of a botnet infrastructure, and creates an HTTP/2 stream, and then repeatedly cancelling it. This becomes a sequence of request, cancel, request, cancel, and so on. The real threat happens when the requests are amplified through a large-scale botnet, and where compromised machines can echo the requests to others. For many the protection is to have an external WAF (Web Application Firewall), such as from Cloudflare, and which can detect the drop these streams from detected botnet activity. Along with this, the main firewall within the perimeter can integrate DDoS protection:

HTTP/1.1 is a very simple protocol for access to Web content, with this we make requests using the GET, PUSH or POST commands and then receive back header information and the Web page. HTTP/2 improves on this by supporting the compression of the HTTP headers and the ability to multiplex multiple requests into a single TCP connection. The multiplexing of the streams allows for a reduction in the delays related to each connection being set up. Along with this, HTTP/2 allows for the prioritisation of requests, and in the cancellation of streams.

The general advice is:

  • If not fully required, perhaps switch off HTTP/2 and HTTP/3 at the current time.
  • Ensure that DDoS protection is implemented outside your network.
  • DDoS protection on the application layer of Web Application Firewalls (WAFs).
  • Patch all Web-based infrastructures.