Distributed Denial of Service (DDoS) Attacks against HTTP/2
11 October 2023
Summary
CVE-2023-44487 (No scoring submitted) “HTTP/2 Rapid Reset Attack”. This vulnerability lays in the send and cancel requests which could be used to overwhelm the target server/application resulting in a DoS attack. This feature is a built in, meaning that this could not be fixed at the moment other than implementing a rate limit or completely blocking the protocol. This attack is possible because a set of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to create a high volume of traffic.
Security Recommendations
Microsoft recommends to disable the HTTP/2 protocol. This HTTP DDoS activity is primarily targeted at layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections in our web service implementations and patched services to better protect customers from the impact of these DDoS attacks. Microsoft has provided recommendations and advisory’s:
- Microsoft services used for hosting web applications have applied security updates to provide mitigations against this attack.
- Microsoft recommends customers that are self-hosting web applications patch web servers/proxies using Windows update or Open-Source Software (OSS) fixes for CVE-2023-44487 as quickly as possible to protect their environments. Affected products requiring customer action have been released in our Microsoft Security Update Guide.
- Microsoft recommends enabling Azure Web Application Firewall (WAF) on Azure Front Door or Azure Application Gateway to further improve security posture. WAF rate limiting rules are effective in providing additional protection against these attacks. Review recommendation section or this blog for more details.
- Microsoft recommends restricting internet access to your web applications where possible.
- If you are unable to apply the appropriate patches and your web application is not protected by WAF on Azure Front Door or Application Gateway, consider disabling HTTP2 on your web services. Please note disabling the HTTP2 protocol in your environment should be a deliberate decision, carefully assessing its potential impact on your products and services, as it can significantly influence performance and user experience.
They have provided a detailed advisory on the vulnerability here.