Overview
Menu

Protection against DDoS attacks targeting HTTP/2 protocol vulnerabilities

Overview

Starting from September 2023, EdgeOne has noticed a new type of HTTP DDoS attack that exploits a new vulnerability in the HTTP/2 protocol. This vulnerability (CVE-2023-44487) poses a security threat to Web services and applications that use the HTTP/2 protocol to provide shared services. EdgeOne's reverse proxy architecture and security policy can effectively isolate and mitigate the risks posed by such DDoS attacks.

The DDoS attack exploiting this vulnerability is also known as the "HTTP/2 Rapid Reset Attack" and targets flawed HTTP/2 applications through the HTTP/2 protocol mechanism. EdgeOne's reverse proxy architecture and implementation of HTTP/2 have provided corresponding isolation and mitigation mechanisms for this feature of the HTTP/2 protocol.

Based on known information and vulnerability behavior, the attack form exploiting this vulnerability is a DDoS attack, affecting the availability of HTTP/2 application services; a single attack exploiting this vulnerability will not cause business data leakage. There is currently no evidence to suggest that any customer information has been leaked due to this vulnerability.

Attack Details

Attackers can exploit this HTTP/2 protocol vulnerability to launch DDoS attacks on HTTP/2 application services. By first sending a large number of HEADERS frames and then a large number of RST_STREAM frames, attackers can generate a large amount of traffic to HTTP/2 application services in a short period of time. By exploiting the connection mechanism of HTTP/2 (for details, please refer to RFC9113: HTTP/2 Stream Lifecycle and State Transition Mechanism), attackers can send a large number of HEADERS and RST_STREAM frames within the same TCP connection, causing high CPU load and exhausting service resources for flawed HTTP/2 application services.

Protection against CVE-2023-44487

This attack is a DDoS attack targeting the application layer protocol (L7 protocol). EdgeOne has optimized and strengthened its proxy architecture and security policy for application layer protocols, protecting Web application services using EdgeOne. EdgeOne's reverse proxy architecture and HTTP/2 implementation can effectively isolate the business availability risks caused by attacks exploiting this vulnerability. At the same time, EdgeOne will continue to monitor new security threats and evaluate security policies, continuously optimizing protection efficiency.

We recommend that you:
Check your origin and HTTP/2 service architecture, update security vulnerability patches in a timely manner, and mitigate the risk of DDoS attacks exploiting this vulnerability.
Configure security protection policies, enable and configure Rate Limiting rule. EdgeOne's rate limiting can provide effective protection against application layer security threats, including HTTP DDoS attacks.
If you cannot update security vulnerability patches for your origin, we recommend enabling Origin protection and allowing only origin-pull requests from EdgeOne to avoid attackers launching attacks by directly accessing the origin server.

Using EdgeOne's HTTP Security Protection

To protect your Web services, EdgeOne offers a variety of HTTP security features (Refer to Web Protection) depending on your subscribed service specs. You can refer to the following methods to reduce the risk of application layer DDoS attacks.

Mitigate high-frequency DDoS attacks that cause a decline in origin availability. You can enable CC attack defense rules to dynamically identify and mitigate high-risk HTTP DDoS attacks.
Block IPs or CIDR subnets with a history of malicious access. You can configure Custom rule to block specified IP list or subnet list.
Limit the allowed access service area. You can configure Custom rule to block access from outside the specified business area.
Control resource consumption. You can configure rate limiting rules to mitigate the resource consumption caused by high-frequency access. We suggest limiting the request rate for global or non-specified business areas to control resource consumption.
Note:
Enterprise users can contact us to evaluate customized protection strategies, including advanced rate limiting rules based on headers and JA3 fingerprint1, to specifically mitigate application layer DDoS attacks and service abuse risks.
Note 1: The rate limiting option based on JA3 fingerprint requires subscribing to Bot management service.
Block high-risk bot access behavior. You can enable and configure Bot Intelligent analysis, which dynamically identifies bot behavior and tags requests, helping you identify and block malicious bot access.
Block access from high-risk clients. You can enable and configure Client reputation, which helps you identify and block high-risk clients through continuously updated IP threat intelligence.