Contents:
If you switched from using HTTP/1 to HTTP/2 you’re a possible target of massive DDoS attacks. Hackers started recently to exploit a key feature of the HTTP/2 protocol. The vulnerability was called CVE-2023-44487.
The HTTP/2 Rapid Reset DDoS attacks that targeted Google services this August went over 398 million requests per second. The attacks were 76% larger than the former record of 46 million requests per second.
So, I asked Robertino Matausch to put things in context. Robertino is Head of Global Pre-Sales Engineering @Heimdal and brings over 30 years of experience in cybersecurity.
Q) What are the purposes behind DDoS and DoS attacks?
R.M: DoS attacks usually have two kinds of intentions in the background. Stopping a service or obfuscating other malicious activities. First, political ideas and opinions can be a reason to run a Denial-of-Service attack against a regime or a party.
In the second case, hackers use Denial of Service (DoS) to turn a system unstable. Then they use other hacking tools to enter the system or cover traces of tampering with the system. Their goal is to get everybody to focus on the DoS and completely ignore a potential backdoor attack.
For example, hackers may use DDoS attacks to shut down a banking page so you cannot log in. Then they create a banking simulation page and send a phishing message saying:
“Hey, we know we have problems, please use our secondary log in Page for logging in”. And that’s how they succeed in phishing your credentials.
Q) What should a security team do in case of a DDoS attack?
R.M: Usually, I`d say they should have a look what is going on internally. That depends of course on their company`s infrastructure.
For example, if you are running a WordPress page, the first thing you should do is check if you have already applied all the needed patches on your web page, on your web server, etc.
Q) How can you prevent DDoS attacks?
R.M: There are tools like Cloudflare that you can use. That kind of technology is basically trying to analyze the incoming packages and requests and block any request that comes from the malicious ones.
But because there are constantly new attacks, well, they have to react. They have to continuously extend their functionalities to protect against new attacks.
That is like going to the medieval age, when they had no guns. The armor was good enough against an arrow or a sword. But at some point, when faced with a Glock, the armor became useless. So, you have to continuously improve your armor, your defense system.
Q) How does the HTTP/2 Rapid Reset DDoS technique differ from other attacks?
R.M: The HTTP/2 Rapid Reset attack uses multiplexing, an inherent feature of the HTTP/2 protocol, making it more efficient than previous methods.
While older attacks required extensive resources, this technique achieves greater impact with less effort. HTTP/2 allows for multiple data streams over a single connection. Hackers found a way to exploit this multiplexing feature and now they can create more efficient attacks.
Q) Why would hackers opt for HTTP/2 over other DDoS attack techniques?
R.M: It is more efficient and cost effective. You can shut down a web page or a domain with less effort. It’s the easiest way to do it at the moment.
Previously for DDoS attacks you had to run a script on a computer or several computers to create a real request. Then you had to wait and sometimes you had to keep the computer open and then disconnect.
The procedure was time consuming. You also needed a powerful machine to create all these connections. You needed more hardware on your side to get the same impact those guys have now due to the exploitation of HTTP/2` multiplexing feature.
With HTTP/2 Rapid Reset you don’t need a huge botnet anymore to inflict as much damage. You can only use 30 or 40% of the botnet you usually needed to run a DDoS with a certain impact.
In HTTP 1.1, each request is processed serially while HTTP/2 can have multiple concurrent streams and connections at one time. In the first case you need, let’s say, 100 connections to send 100 requests. With HTTP/2, you only need one connection to push, let’s say 100 requests. So, that’s at least 100 times more efficient.
Q) Who uses HTTP/2?
R.M: Now, roughly 35 to 36% of all the web pages are using HTTP/2. Everything that is under high load uses this protocol because of its performance benefits.
Every provider with a web interface and answering HTTP requests was interested in upgrading protocols. They needed them to perform better and to deliver at the speed required by their customers. Those are guys who process large amounts of data. It’s not some local small bakery.
You see, there are popular sites using HTTP/2 that make really interesting targets: Google, Microsoft, Apple, YouTube, Netflix, LinkedIn, Bing, Yahoo, etc. The point is a lot of businesses are running in the cloud. Uber, for example, is not self-hosting. Uber uses cloud services. Their cloud provider is using HTTP 2 or HTTP 3. That means you can attack Uber too, the HTTP2 flaw also affects them.
So, every big company that is using AWS, Google, Azure is a potential victim, because they’re using those infrastructures. In the case of HTTP/2 the problem is not a bug but a feature that is intrinsic to the system and hackers use the feature against the system itself.
Q) How can organizations protect against HTTP/2 Rapid Reset DDoS attacks?
R.M: When exploiting HTTP/2 Rapid Reset, hackers don’t attack a specific kind of infrastructure or software. They are attacking the very backbone of the whole infrastructure that is using HTTP.
In the case of HTTP/2 the problem is not a bug but a feature that is intrinsic to the system and hackers use the feature against the system itself.
One thing you can do is use services like Cloudflare, Google, etc. You should also update the firmware of your routers, since we`re talking about a layer 7 attack. Of course, you also have to patch or improve at version 2.1 of HTTP/2. But because the vulnerability is intrinsic to the protocol itself, it’s hard to get real protection against CVE-2023-44487.
One of the main benefits that differentiates HTTP/2 from HTTP/1.1 is its multiplexing feature that hackers exploit now. HTTP/1.1 loads resources in a row. If one packet fails to load it blocks all the other packages. The multiplexing feature enables HTTP/2 to send multiple streams of data through a single TCP connection. So, HTTP/2 is both faster and more efficient. But this differentiating feature is also its flaw.
It’s like someone inventing the hammer to allow me to put a nail into wood. All of a sudden someone comes up with the idea that he may also use that hammer to hit people in the head. There is no way you can fix the hammer against being a weapon.
What you can do is maybe invent a hat detector and put it on the hammer. So, if somebody is swinging the hammer towards somebody’s hat, the detector will sense it and stop it.
If cloud providers were to downgrade to HTTP 1.1, they would be forced to extend their hardware to cover all the new requests and fulfill performance requirements. HTTP/2 is of course an evolutionary development of HTTP. It’s faster, uses less resources, is more responsive, etc. There is no way to go back.
Q) Why shouldn’t companies go back to HTTP 1.1?
R.M: The problem with that so-called solution is that it can open the gate for other breaches. Hackers can try to force you to return to a former version of the protocol, with very specific vulnerabilities, on purpose. They press you to be vulnerable again to old flaws. It’s like removing an update, a downgrading.
Think of it like this.
You have a pack of animals, and you create roadblocks to press them in a certain direction. You know exactly where they’ll go. So, you wait there. As a hacker, you’re creating an attack on a protocol. That forces potential victims to downgrade to an older version of the protocol that had known vulnerabilities. Then you can exploit those old flaws, or you can use against the target exploit kits that you already had. Those exploit kits would have been useless against HTTP 2.
Multiplexing improves performance a lot.
If cloud providers were to downgrade to HTTP 1.1, they would be forced to extend their hardware to cover all the new requests and fulfill performance requirements. HTTP/2 is of course an evolutionary development of HTTP. It’s faster, uses less resources, is more responsive, etc. There is no way to go back.
A company like Facebook will always want to implement a new promising protocol. Let’s say 200% more connections for users plus lower latency with faster response on the web page.
How do you see this HTTP/2 Rapid Reset method in the cybersecurity landscape?
R.M: HTTP/2 Rapid Reset is a hack of weakness in a protocol of weak implementation and hackers abused it.
You could say the improvements they made for HTTP2 offered hackers, on a silver plate, the means to increase a denial-of-service attack’s efficiency. At the end of the day, technology created the perfect hammer for the companies to use, but now somebody else took the hammer and turned it on the companies.
It’s typical hacker behavior, the good old story.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.