Full Report
An 0-day in the HTTP/2 specification was discovered that leads to Denial of Service (DoS) attacks. Cloudflare, being a CDN with a major DDoS prevention system, was on the forefront of this. They saw attacks of 201 million requests per second, which were 3x bigger than the largest attack they had seen. So, what's the issue? HTTP/2 is a major improvement on HTTP/1. It includes all of the data from before but allows for concurrency and multiplexing. The basic location where users send data from in a single connection is called a stream. There is a hard limit on the amount of streams that can be open on a given server at a time within a connection, in order to prevent DoS bugs. HTTP/2 supports in-flight cancellation for a given stream by sending the RST_STREAM byte sequence. Canceled streams do not get counted in the limit of open streams. By rapidly abusing the rapid reset of the RST_STREAM, a DoS can be triggered. The opening of a new stream slot and the computational resources to clean up cause a problem. With Cloudclare, they copy the socket into a buffer and process the buffer. Once the cancellation happens, this processing stops but still has eaten up a lot of resources. The bug reminds me of the SlowHTTP attacks on HTTP/1.1 from years ago. Eat up too many resources to cause a crash on the server. Besides the technical side, it's fascinating to see how Cloudflare mitigates these types of problems. They take security of uptime seriously, which I really appreciate.
Analysis Summary
# Vulnerability: HTTP/2 Rapid Reset Denial of Service (DoS)
## CVE Details
- CVE ID: **Not explicitly provided in the source material.** (Note: This vulnerability is often associated with **CVE-2024-21890** in public disclosures, but based *only* on the provided text, the specific CVE is unknown.)
- CVSS Score: **Unknown** (Likely High due to DoS impact)
- CWE: **CWE-400: Uncontrolled Resource Consumption** (Inferred from the mechanism description)
## Affected Systems
- Products: **Servers and clients implementing the HTTP/2 specification** (Specifically impacted services handling stream state, like CDNs and web servers).
- Versions: **Unknown** (Affects implementations reliant on the standard handling of `RST_STREAM` frames.)
- Configurations: Any configuration enabling HTTP/2.
## Vulnerability Description
The vulnerability resides in the way HTTP/2 servers handle stream cancellation via the `RST_STREAM` frame. HTTP/2 allows multiple concurrent streams over a single connection. To prevent DoS, there is an established limit on the number of open streams. When a stream is canceled using `RST_STREAM`, it typically does not count against the open stream limit. Attackers can **rapidly send `RST_STREAM` frames** to continuously open and immediately close streams. This malicious churning consumes significant computational resources during the setup of the new stream slot and the subsequent resource cleanup/teardown process, ultimately leading to a state of uncontrolled resource exhaustion and Denial of Service (DoS) on the server.
## Exploitation
- Status: **Observed in the wild** (Cloudflare reported observing related attacks reaching 201 million requests per second).
- Complexity: **Low** (Relies on sending specific, repeated protocol frames).
- Attack Vector: **Network**
## Impact
- Confidentiality: **None**
- Integrity: **None**
- Availability: **High** (Directly causes server crash or unresponsiveness due to resource exhaustion).
## Remediation
### Patches
- **[Specific patch information is not available in the source text.]** Vendor advisories for affected HTTP/2 libraries and software must be consulted for official fixes. (Note: Security vendors like Cloudflare published details concurrent with browser/library updates.)
### Workarounds
- **Rate Limiting on Stream Operations:** Implement specific rate limiting not just on requests, but on the rate of `RST_STREAM` frames per connection or upstream.
- **Resource Throttling:** Limit the processing overhead allocated to stream setup/teardown operations, potentially enforcing stricter timeouts on stream state changes.
- **Connection Monitoring:** Actively monitor for connections exhibiting characteristics similar to HTTP/1.1 "Slow HTTP" attacks, specifically a high ratio of stream creation/cancellation events versus actual data exchange.
## Detection
- **Indicators of Compromise:**
- Extremely high rate of `RST_STREAM` frames observed on active HTTP/2 connections.
- Unexplained spikes in CPU utilization linked to connection/socket processing, even when bandwidth usage appears low.
- Connection states rapidly cycling between stream opening and immediate closure.
- **Detection Methods and Tools:**
- Network monitoring tools capable of deep packet inspection (DPI) on HTTP/2 traffic to count frame types.
- Web server/load balancer logs tracking per-connection frame counters.
## References
- Vendor Advisories: Consult documentation from major HTTP/2 library implementers (e.g., implementations used by NGINX, Apache, web servers, and browsers).
- Relevant Links: Cloudflare security blog posts detailing the observed large-scale attacks relating to the HTTP/2 rapid reset vulnerability.