The HTTP/2 Fast Reset Attack Vulnerability: What You Need To Know

ISC2 CISO Jon France, CISSP, ChCSP, explains more about this vulnerability, the implications for cybersecurity professionals and affected organizations, along with advice on steps to mitigate it.

What is it?

A resource consumption attack vector related to sites that use the HTTP/2 protocol. The impact of leveraging the vulnerability is a denial of service (DoS) resulting from the consumption of system resources when dealing with a large volume of HTTP/2 reset messages.

The vulnerability is widespread as the core method (Reset) is a part of the HTTP/2 protocol and many systems implement the handling of reset requests in a way that may be vulnerable to triggering consuming server resources faster than they can be released when dealing with a mass of requests. Ultimately, exploiting the vulnerability results in the failure/off-lining of the server.

At the core of the issue is that HTTP/2 allows multiplexing of multiple requests from a single client (an endpoint). An attacker establishes a HTTP/2 connection and immediately issues a 'Reset' message to clear the connection. While this costs the client very little in terms of effort and resource, typically on the server side this will consume resources whilst the connection is 'tidied up' and released.

If a large number of these 'connection then Reset' requests are received the net affect on the server side is one of creating a backlog of clearing processes that consume resources, causing resource depletion and a probable DoS-like failure of the service.

How may it affect me?

The effect of this will manifest in the following ways:

Unusual amounts of traffic to a single web service
Sporadic error messages being returned to clients
Slow running of services
Ultimately a DoS of one or more targeted vulnerable systems (those that accept and process HTTP/2)
If you have a firewall/content delivery network (CDN) that traps traffic, you may see a spike or abnormally large amounts of dropped traffic as a result of attempts to exploit this vulnerability.

What should I do about it?

Profile where you may be vulnerable:

Inventory all systems and services that use HTTP/2, especially those that can be reached via the internet
For systems that do and are critical to operation, consult the vendor and see if they have recommendations on mitigations, or available patches

Harden where possible:

Some CDNs and firewall products now have mitigations in place - see if you are covered by one of those
If you can configure the HTTP protocol type, do so and look to restrict to HTTP/1.1 (There may be performance implications related to restricting to HTTP/1.1) or HTTP/3 as these are not known to be vulnerable

Monitor:

Be vigilant on network traffic and look for spikes in HTTP/2 traffic that may indicate an attack
Monitor services for degradation/slow response as this may indicate an attack
Monitor for unusually high numbers of HTTP error states (499 'Client Closed request' or 502 'Bad gateway')

Finally, regularly check with vendors and monitor their advice and available software updates.

Where can I find out more?

The CVE and related information can be found at https://www.cve.org/CVERecord?id=CVE-2023-44487.

For additional training and professional development support in dealing with DoS and vulnerability exploits, take a look at our Skill Builder courses for Network Security and Security Operations: https://www.isc2.org/professional-development/skill-builders.