SUSE Support

Here When You Need Us

Security Vulnerability: CVE-2023-44487: HTTP/2 ‘Rapid Reset’ attack

This document (000021240) is provided subject to the disclaimer at the end of this document.

Environment

For a detailed list of affected products please review the SUSE CVE announcement.

Situation

Back in August 2023 Amazon Web Services, Cloudflare and Google noticed a new type of DDos attack on their networks. These attacks had record breaking sizes, 3 times bigger then previous attacks.

As it turned out, the problem that was exploited was not an implementation bug, but an issue inside the internal design of the HTTP/2 protocol itself. The principle of the 'Rapid Reset' attack is quite simple.

Resolution

Several upstream projects updated their code to implement or extent the mitigation mechanisms that prevent or lower the impact of those attacks. This is usually done by setting a reset rate limit.

Mitigations already in place:
- apache2
- haproxy

Currently we are updating and monitoring the following implementations:
- netty
- nginx
- nghttp2
- tomcat
- nodejs

For a status on the release of updated packages please consult the SUSE CVE announcement.

Cause

With HTTP/1.1 all requests to the server are processed serially on one connection. The client is sending a request, the server will read, process and send a response. Then the next request is processed.
The newer HTTP/2 protocol allows multiple bidirectional streams via a single TCP connection. A client can therefore send multiple requests at once, that get then answered by the server. This results in a much higher utilization of each connection.

The 'Rapid Reset' attack now uses the fact that each of those inner streams can be canceled at any point in time via a RST_STREAM frame. This can even be done before any data was transmitted back to the client.
The problem that arises now is the following. The request is processed by the server, and for this purposes, resources are allocated per stream. This resources have to be deleted again a moment later when the RST_STREAM frame arrived.

This has nearly no cost on the attacker side, but can, depending on the server implementation, have significant resource utilization on the victim.

Status

Security Alert

Additional Information

References:
https://www.suse.com/security/cve/CVE-2023-44487.html
https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
https://blog.qualys.com/vulnerabilities-threat-research/2023/10/10/cve-2023-44487-http-2-rapid-reset-attack

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021240
  • Creation Date: 18-Oct-2023
  • Modified Date:18-Oct-2023
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications
    • SUSE Manager Server
    • SUSE Manager Proxy

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center