HTTP and the Rapid Reset Vulnerability

The History of HTTP (HTTP/0.9)

The bedrock for data communication on the World Wide Web, a term that’s still valid yet rarely used today, is HTTP (Hypertext Transfer Protocol). HTTP is an Application Layer (OSI layer 7) protocol in the internet protocol suite. First released in 1991, the original version, HTTP, is now referred to as HTTP/0.9.  

Although crude by today’s standards, HTTP was effective enough to launch what would become a revolution in human communication. HTTP/0.9 was written as a plain document under 700 words and had one simple job, or in World Wide Web vernacular, one method: GET. Simply stated, the protocol could only request an HTML document:

GET /htmlpage.html 

General responses were extremely simple as well:

<html> 

 An old and simple html page. 

</html> 

It’s interesting to note that in these GET parameters, there is no indication of a server IP address or protocol port. In 1991, this information was simply not needed once connected to the server; there were no headers to convey session metadata and there were no status codes or error codes.  

HTTP Today: The HTTP/2 Flaw 

Fast forward to today, four iterations later, where the standard is now HTTP/2. HTTP/2 was released in 2015 and offers major advancements, making it more efficient and responsive to the demands of today’s web. While it’s a notable improvement over previous versions, as with many things, along with the good comes some bad. HTTP/2 has a flaw which provides malicious actors a simple method to create a Distributed Denial-of-Service (DDoS) attack against any web server, in an attempt to render network resources unavailable and disrupt operations.  

DDoS attacks against web servers are certainly not new, however a recent DDoS attack method, known as “HTTP/2 Rapid Reset,” leverages a flaw in the implementation of the protocol. For official information on this flaw see CISA’s alert on CVE-2023-44487. 

The flaw is nestled in the added ability for HTTP/2 to multiplex, which is a major advancement over HTTP/1.1. With multiplexing, HTTP/2 can initial multiple requests in parallel over a single TCP connection. The result means webpages containing several elements are now delivered over one TCP connection. It’s important to note that this flaw, by itself, does not lead to server or data compromise. It could, however, be used to divert attention while threat actors attack other areas in the target networks.  

In Figure 1 below, the HTTP/1.1 attack shows the serial nature of the previous protocol version and the limitation it causes in being able to rapidly establish Requests and Responses. The HTTP/2 attack shows how the multiplexing feature of HTTP/2 allows for a parallel attack, consuming more resources on the web server as it works to produce Responses more quickly. Finally, the HTTP/2 Rapid Reset attack demonstrates how the pervious parallel attack can be amplified by continuously sending the web server a Request followed by a Reset, which allows for an infinite number of Requests to be in flight. Here the webserver will have to do significant amounts of work creating and canceling requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource, eventually consuming available server or network resources, whichever occurs first.   

Rapid reset vulnerability.

Figure 1 – Image Source: thehackernews.com 

With some simple Python code utilizing the hyper library, a threat actor can use multiple threads and repeatedly sends a series of HTTP/2 requests with headers and RST_STREAM frames to generate a high volume of traffic. How simple might this be? We’ll first create a ‘send_requests’ function that might look something like this:  

def send_requests(): 

    conn = hyper.http20.h2.H2Connection() 

    conn.initiate_connection() 

    conn.connect(target_host, target_port) 

 

    for _ in range(num_requests): 

        headers = [ 

            (‘:method’, ‘GET’), 

            (‘:scheme’, ‘https’), 

            (‘:authority’, target_host), 

            (‘:path’, ‘/path/to/ resource’), 

        ] 

 

        conn.send_headers(1, headers) 

        conn.send_rst_stream(1, hyper.http20.errors.ErrorCodes.CANCEL) 

From here, we only need to initiate the request in multiple threads to amplify the effect: 

threads = [] 

for _ in range(10):   

    t = threading.Thread(target=send_h2_requests) 

    threads.append(t) 

So, with under 20 lines of code, it’s possible to create something that can be used as a base to create a DDoS attack against a web server. *Please note that the code in the example above is not complete and cannot, and certainly should not, be used or referenced to perform any type of DDoS attack. 

Mitigating Risks

While this flaw is known, vendors have been working to mitigate the risk. Organizations should also, as a rule, take proactive steps to mitigate risk and reduce the effects of DDoS attacks in general. This means organizations should have controls in place, including: 

  • Consistent application of patches to web servers/proxies 
  • Restricted internet access to web applications where possible 
  • Use of a Web Application Firewall (WAF) with rate limiting rules and geographic restrictions 

Organizations can also consider migrating to a hardened Platform as a Service (PaaS) provider like Microsoft Azure App Service, a managed service with built-in infrastructure maintenance, security patching, and scaling.  

Resource availability is critical in IT Security. Applications and data that are not readily available to authorized users can have a cascading effect on organizations, resulting in loss of productivity, loss of revenue, and loss of reputation. A DDoS attack like the threat described above can impact this availability. Organizations should – must – have a comprehensive security posture which allows them to protect their assets while actively monitoring and responding to alerts and incidents. If you want to create a comprehensive security program or bolster an existing program, the experts at Ntirety can help. Get started today by visiting us at ntirety.com.

CFO Focus on Cybersecurity: Why NIST Cybersecurity Frameworks Matter

From the moment any data system comes online, it is at risk of breach. Modern workloads and data reside, change, and grow in a medium of capabilities and simultaneous risk. In the wild, more than a million cyberattacks occur on the web on average each day. The odds of avoiding becoming a target are simply not very good. The need for continual cybersecurity measures is extremely prevalent, and there is a call for programs that feature heightened vigilance and performance in the face of modern threats.

Threats to Financial Teams

Financial teams are in an especially exposed position. Their data is a high-value target treading in a mass of computing largesse, and any leak could pose an existential threat to their careers, not to mention the company itself. The implications of just one successful attack could cost millions, and thus CFOs have grown to be shared custodians of cybersecurity initiatives. CFO executives have started to focus on cybersecurity solutions with more emphasis than ever before, and to explore the depths of current cybersecurity threat conditions. What this exploration has revealed is that the familiar benefits of frameworks can be applied towards solutions.

The Familiarity of Frameworks

Framework systems build on basic concepts and controls, and work as scaffolding systems that guide efforts through reporting, analysis, and workflows. Financial professionals are familiar with frameworks, as the framework is the core of financial operations. Without it, a business would lose control over finances and ultimately fail to succeed.  

Over the years, as threat and risk conditions have escalated, the setting for advanced cybersecurity measures has moved out of the server room (and the hands of information technology teams) and to the executive table. Championed by the CFO and other executives, this change demands direct access to the board and the budget planning process. Cybersecurity investments are critical and significant, and along with those characterizations the familiar standards of frameworks have proven to provide valuable measurement of risks, controls, and performance.

The NIST Standard 

One of the most accepted cybersecurity frameworks is the NIST standard known as the “NIST Cybersecurity Framework.” The NIST Cybersecurity Framework covers five key functions:

  • Identify
  • Protect
  • Detect
  • Respond 
  • Recover

Organizations are leveraging this framework as an anchor to build an approach that is repeatable, flexible, prioritized, cost-effective, and based on performance. In other words, the NIST framework checks all the boxes as it offers guidance and assistance toward the management of cybersecurity risks. Prevention, ruling measures, and the ability to recover in the event of an attack are all rolled into the framework.  

The NIST framework has gained merit with C-suites, boards, and CFOs, and it’s important to recognize its value in the cybersecurity conversation – and in providing a high-level overview of the business and its protections. Digging deeper, specific NIST publications (SP 800-171 and SP 800-53, as examples) offer more than 100 controls and measures and provide a roadmap to a better secured, lower risk future. These serve as the vehicle of justification for cybersecurity initiatives, creating greater success in the mission and for the business. 

Cybersecurity as Business Imperative 

Once relegated to information technology teams, cybersecurity has taken on an appropriate scope of enterprise-wide focus. Financial executives have stepped up to the risks and challenges of an age where traditional security mindsets cannot meet the standards of acceptance. Due to its existential nature and massive financial implications, cybersecurity has become the most significant risk to the business. Security frameworks have created a consumable channel at the executive table, providing valuable guidance towards better security practices and technologies.  

With any framework in place, the business begins to gain insight into and confidence in its measures. This applies in both financial matters and cybersecurity. With cybersecurity frameworks, organizations can leverage the virtual blueprints that emerge to create effective actions that feed directly into their cybersecurity infrastructure. These frameworks can take their place in technology decisions, as planning plus action equals results and improvements. Cybersecurity frameworks such as NIST help organizations assess and build actionable plans and determine exposure to risks.  

Cybersecurity guidance that is derived from a framework approach offers the most value when tactical points are matched up to actions. Organizations can pragmatically build out on a custom cyber-resilience strategy that aligns with the extremely individual context of an organization’s assumption of risks.  

How Ntirety Can Help 

Ntirety Compliance Services provide a comprehensive and reliable solution for ensuring your business remains compliant with industry regulations and NIST standards. Our team of experienced compliance experts will work closely with you to assess your current compliance posture, identify any potential gaps, and develop a customized plan to help your organization achieve and maintain compliance. With Ntirety services, you can feel confident your business is meeting all the necessary requirements and avoid costly penalties or other negative consequences. By choosing Ntirety Compliance Services, you can focus on running your business while we take care of the complicated compliance issues.