Rapid Reset DDos Attacks on HTTP2 Vulnerability in Cloudflare Servers

‘Rapid Reset’ DDoS Attacks on HTTP/2 Vulnerability in Cloudflare Servers

Jump to Section

On 10/10/2023, Cloudflare publicly disclosed a pre-existing zero-day vulnerability CVE-2023-44487 – capable of exploiting a weakness in the HTTP/2 protocol to generate DDoS attacks at an enormous scale.

 

 

Past Rapid Reset DDoS Attacks on Cloudflare Servers

This was not the first such HTTP/2 attack Cloudflare had seen. Earlier in 2023, Cloudflare experienced record-breaking DDoS attacks to the tune of 71 million requests per second. In 2019, Cloudflare disclosed multiple denial of service (DoS) vulnerabilities in their NGINX HTTP/2 servers.

 

 

How Rapid Reset Works

Intended to save server resources by eliminating unnecessary task execution, ‘Rapid Reset’ works by cancelling the stream after sending an RSI-STREAM frame to the server when a HTTP/2 connection is established. The way in which this vulnerability was exploited on Cloudflare’s NGINX servers was by cancelling a large number of streams over a single connection before the arrival of any subsequent streams. By not incrementing the server’s concurrent stream count, the maximum limit was never reached and their servers became overloaded.

 

 

Responsible Disclosure

Cloudflare, Google, Microsoft, Amazon and F5, amongst others, had been working together on a solution to this threat which first became known to Cloudflare in August 2023 when they noticed an unusually large number of HTTP attacks affecting their customers, peaking at 201 million requests per second. While they alerted their “web server software partners” and worked with their partners and governments “to ensure a better Internet”, they somehow failed to alert LiteSpeedtech.

 

In their blog article detailing the method of attack, Cloudflare claimed that they believed that “any vendor that has implemented HTTP/2 will be subject to the attack”. It’s anybody’s guess why they chose not to loop LiteSpeed in on their findings – a provider which serves more than 12% of the top websites with their LiteSpeed Web Server.

 

 

How It Affected LiteSpeed Products

On receiving our notification of the vulnerability on Slack, Litespeed’s technical staff immediately responded that they were investigating the potential impact of the finding.

 

QUIC Cloud Message on Slack

 

Shortly thereafter, LiteSpeed published a public statement confirming that LiteSpeed server products (including LiteSpeed Web Server Enterprise, Litespeed Web ADC and OpenLiteSpeed) were, in fact, not vulnerable to the attacks that Cloudflare’s customers had experienced.

 

LiteSpeed’s unique HTTP/2 implementation was written from the ground up when LiteSpeed Enterprise became the first web server to offer HTTP/2 support in May 2015. “Written … with security in mind”, LiteSpeed HTTP/2 is able to resist many attacks that NGINX servers like Cloudflare’s might struggle against, especially when set up in combination with using QUIC.Cloud CDN which offers advanced Layer-7 DDoS protection.

 

LiteSpeed has stated their intent to continue to enhance their HTTP/2 implementation based on this attack. Because of this forward-thinking implementation, websites hosted on LiteSpeed Enterprise Web Servers escaped the disastrous effects of the recent explosion of Rapid Reset DDoS attacks and patches were not required on any of Siliceous Web Hosting servers.