CVE-2023-44487

Overview

Actively Exploited — Record-Breaking DDoS Attacks. This vulnerability was exploited in the wild from August through October 2023 to generate the largest DDoS attacks ever recorded at the time. CISA added it to the Known Exploited Vulnerabilities catalog on October 10, 2023 with a remediation deadline of October 31, 2023.

CVE-2023-44487 is a denial-of-service vulnerability inherent to the HTTP/2 protocol. An attacker can rapidly open and cancel HTTP/2 streams by sending HEADERS frames immediately followed by RST_STREAM frames, generating massive server-side workload while bypassing the concurrent stream limit. This technique, dubbed "Rapid Reset", was exploited by botnets as small as 20,000 machines to produce attacks peaking at 398 million requests per second (Google) and 201 million RPS (Cloudflare) — roughly 3× the previous record.

How the Attack Works

The HTTP/2 protocol allows multiplexing many requests over a single TCP connection via streams. Servers advertise a SETTINGS_MAX_CONCURRENT_STREAMS value (typically 100) to limit how many streams can be open simultaneously. However, the Rapid Reset attack renders this limit ineffective:

1. The attacker opens an HTTP/2 connection and sends a HEADERS frame (opening a new stream).
2. Immediately — before waiting for any server response — the attacker sends a RST_STREAM frame on that same stream, canceling it.
3. The RST_STREAM immediately transitions the stream to the closed state, freeing a concurrency slot — so the attacker can instantly open a new stream.
4. This is repeated at wire speed. In a single TCP packet, hundreds of HEADERS+RST_STREAM pairs can be packed (each subsequent HEADERS is only ~9 bytes due to HPACK compression).
5. The server receives these frames and begins processing each request (parsing, routing to upstream, allocating resources) — but by the time it processes the RST_STREAM, work has already been dispatched, creating a massive backlog.

Key insight: The concurrent stream limit (SETTINGS_MAX_CONCURRENT_STREAMS) cannot mitigate this attack. Because each stream is immediately canceled, it never counts against the concurrency limit. The client can churn through an effectively unbounded number of requests regardless of the server's configured limit.

Why it's so effective:

• Asymmetric cost: Opening and canceling a stream costs the client nearly nothing (~35 bytes), but the server must parse headers, dispatch the request to upstream services, allocate memory, and then tear everything down.
• No ramp-up period: Unlike volumetric floods, the attack hits full force from the very first packet.
• Bypasses HTTP/2 concurrency controls: The protocol's built-in safety mechanism is rendered meaningless.
• Small botnet, enormous impact: A botnet of just 20,000 nodes produced 398M RPS, orders of magnitude more than traditional Layer 7 attacks.

Record-Breaking Attack Scale

Three major cloud providers independently disclosed coordinated Rapid Reset attacks:

The entire World Wide Web typically sees between 1–3 billion requests per second. A botnet of merely 20,000 machines generating 398M RPS commanded a significant percentage of all global web traffic — directed at a single target.

Protocol-Level Analysis

In HTTP/2, each request/response exchange occurs on a stream identified by an odd-numbered stream ID. Streams pass through a lifecycle: idle → open → half-closed → closed. Only streams in the open or half-closed states count toward SETTINGS_MAX_CONCURRENT_STREAMS.

A client sending HEADERS with END_STREAM=1 transitions a stream from idle → open → half-closed. Immediately sending RST_STREAM transitions it to closed. Because the stream is closed, it no longer counts against the concurrency limit, and the client can immediately open another stream.

Due to HPACK header compression, the first HEADERS frame is ~26 bytes, but subsequent frames are only ~9 bytes. Combined with 9-byte RST_STREAM frames, an attacker can pack hundreds of request-cancel pairs into a single TCP packet. In one proof-of-concept capture, a single packet contained 525 requests reaching stream ID 1051 — all with nearly zero server acknowledgment needed.

Protocol design gap: RFC 9113 (HTTP/2) does not specify any rate limit for RST_STREAM frames nor does it mandate servers track and limit the total number of streams created over a connection's lifetime (only concurrent open streams). This is the fundamental gap that enables the attack.

Affected Software

Because this is a protocol-level vulnerability, virtually every HTTP/2 implementation was affected. The NVD lists over 35 distinct software configurations.

Web servers and proxies: NGINX before 1.25.3, Apache Tomcat 8.5.x–11.0.0-M11, Apache Traffic Server 8.x–9.x, Caddy before 2.7.5, HAProxy, Envoy 1.24.10/1.25.9/1.26.4/1.27.0, Traefik before 2.10.5, LiteSpeed Web Server, Varnish Cache.

Language runtimes: Go before 1.20.10/1.21.3, Node.js before 18.18.2/20.8.1, Microsoft .NET 6.x/7.x, gRPC-Go, Netty before 4.1.100, nghttp2 before 1.57.0, Jetty, Swift NIO HTTP/2 before 1.28.0.

Cloud and infrastructure: F5 BIG-IP 13.x–17.x, Microsoft Azure Kubernetes Service, Microsoft Windows Server 2016/2019/2022, Amazon OpenSearch Data Prepper, Kong Gateway, Jenkins, Apache Solr.

Service mesh and networking: Istio, Linkerd, Contour, Kubernetes, Cisco IOS XE/XR, Cisco Firepower Threat Defense, Palo Alto Networks PAN-OS, Red Hat Enterprise Linux, Debian, Fedora.

Mitigation and Remediation

Immediate actions:

1. Update all HTTP/2-capable software to patched versions (see affected products list above).
2. Deploy behind a DDoS-mitigating reverse proxy (Cloudflare, AWS Shield, Google Cloud Armor) which has already implemented protocol-level mitigations.
3. Monitor RST_STREAM rates per connection. Connections sending excessive RST_STREAM frames should be terminated with a GOAWAY frame.

Server-side mitigations for implementers:

• Track total streams per connection (not just concurrent), and close connections that create an excessive number of streams over their lifetime.
• Rate-limit RST_STREAM frames: If a client sends more RST_STREAM frames than a threshold within a time window, close the connection.
• Reduce SETTINGS_MAX_CONCURRENT_STREAMS to 100 (the RFC recommendation). While this alone doesn't mitigate Rapid Reset, it reduces the blast radius of concurrent work.
• IP-based reputation: Track IPs exhibiting Rapid Reset behavior and block or downgrade them to HTTP/1.1.

Coordinated disclosure: Google, Cloudflare, and AWS conducted a rare three-party coordinated disclosure, simultaneously publishing technical analyses while vendors (NGINX, Apache, Microsoft, Golang, Node.js, and dozens more) released patches on the same day as public disclosure on October 10, 2023.