Kyle FoxOct 10, 2023

HTTP/2 rapid reset attack CVE-2023-44487 is out:

https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack

Cloudflare has a post on it:
https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/

As well as F5:
https://www.f5.com/company/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products

How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack | Google Cloud Blog

Learn how the new DDoS attack technique Rapid Reset works, and how to mitigate it

Google Cloud Blog
Show threadEndlessMason
@thekayfox Am I reading this right? The mitigation is to leave the knobs at the preset position?
Oct 10, 2023 at 6:12pmWeb
Show threadKyle FoxOct 10, 2023

@EndlessMason

I am only familiar with F5 BIG-IP so I will speak to that:

For F5 BIG-IP it appears that threat modeling when the HTTP/2 profile was introduced drove a conservative setting of 10 max concurrent streams, so yes, if you have the default, its most likely good enough to prevent this vector from having disparate impact.

Since the BIG-IP HTTP/2 profile waits for a request to open a backend connection, this means the only impact for this attack is in BIG-IP, so the attack may be complete absorbed by BIG-IP without issue.

There will likely not be any Advanced WAF signatures as the WAF is not engaged until a request is received.

Show threadEndlessMasonOct 10, 2023
@thekayfox I'd bet there will be a variant on it where you cancel just after making the request, since that would move the load to the things behind the proxy
Show threadKyle FoxOct 10, 2023

@EndlessMason That would significantly increase the resources needed to carry out the attack to a point that carrying it out in this way has no real advantage.

And then that makes it trivial to block it using BIG-IP Advanced WAF's DoS protection or DoS protections in BIG-IP AFM or maybe even an iRule.