Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

Summary

Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan. Microsoft recommends customers follow the guidance provided in this blog to ensure your services are hardened and protected against this DDoS attack technique.

This DDoS attack, known as ‘HTTP/2 Rapid Reset’, leverages a flaw in the implementation of HTTP/2. Microsoft promptly created mitigations for IIS (HTTP.sys), .NET (Kestrel), and Windows, which were part of Microsoft Security Updates released on Oct 10th, 2023.

While this DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data, and at this time we have seen no evidence of customer data being compromised.

Attack Details

This HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.

Protecting your services from CVE-2023-44487

This HTTP DDoS activity is primarily targeted at layer 7 rather than layer 3 or 4. Microsoft hardened layer 7 protections in our web service implementations and patched services to better protect customers from the impact of these DDoS attacks. While these tools and techniques are highly effective at mitigating the majority of disruptions, Microsoft consistently reviews the performance of its hardening capabilities and incorporates learnings into refining and improving their effectiveness.

• Microsoft services used for hosting web applications have applied security updates to provide mitigations against this attack.

• Microsoft recommends customers that are self-hosting web applications patch web servers/proxies using Windows update or Open-Source Software (OSS) fixes for CVE-2023-44487 as quickly as possible to protect their environments. Affected products requiring customer action have been released in our Microsoft Security Update Guide.

• Microsoft recommends enabling Azure Web Application Firewall (WAF) on Azure Front Door or Azure Application Gateway to further improve security posture. WAF rate limiting rules are effective in providing additional protection against these attacks. Review recommendation section or this blog for more details.

• Microsoft recommends restricting internet access to your web applications where possible.

• If you are unable to apply the appropriate patches and your web application is not protected by WAF on Azure Front Door or Application Gateway, consider disabling HTTP2 on your web services. Please note disabling the HTTP2 protocol in your environment should be a deliberate decision, carefully assessing its potential impact on your products and services, as it can significantly influence performance and user experience.

Recommendations – Layer 7 DDoS Protection Tips

Microsoft recommends using layer 7 protection services such as Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to protect web applications. Review the following mitigation guidance to reduce the impact of layer 7 DDoS attack: Application DDoS protection.

If using Azure WAF on Azure Front Door or Application Gateway:

• Use the bot protection managed rule set provides protection against known bad bots. For more information, see Configuring bot protection on Azure Front Door and Configuring bot protection on Application Gateway.
• IP addresses and ranges that you identify as malicious should be blocked. For more information, see examples at Create and use custom rules for Azure Front Door and Create and use v2 custom rules for Application Gateway.
• Traffic from outside a defined geographic region, or within a defined region, should be blocked, rate limited, or redirected to a static webpage. For more information, see examples at Create and use custom rules for Azure Front Door and Create and use v2 custom rules for Application Gateway.
• Create rate limiting custom rules to automatically block and rate limit HTTP or HTTPS attacks that have known signatures. For more information, see examples at Create rate limiting custom rules for Azure Front Door and Create rate limiting custom rules for Application Gateway.

If using Azure API Management, in addition to fronting with WAF, customers should enable the following configuration:

• Deploy your API Management instance into Virtual Network and enable DDOS protection
• Apply L7 rate limit policy to block excessive HTTP traffic.

Azure and M365

Per the Cloud Shared Responsibility Model, Microsoft will be applying the appropriate security updates to the Microsoft managed SaaS and PaaS services as well as IaaS auto patched services using Safe Deployment Practices. Additionally, these services are also protected by DDoS services. Customers using IaaS services that are on a manual patching are encouraged to apply the updates based on the guidance outlined above.

Microsoft follows Coordinated Vulnerability Disclosure (CVD), which systematically and responsibly manages the discovery, reporting, and remediation of security vulnerabilities. CVD allows us to collaborate with researchers and the wider security community in a way that prioritizes user security and system integrity. By following a coordinated approach, we can work with researchers and industry partners to ensure that potential vulnerabilities are addressed before they’re made public, reducing the risk of exploitation.

Part of any robust security posture is working with researchers to help find vulnerabilities, so we can fix any findings before details of the vulnerabilities are broadly available and misused. We want to thank Amazon, Cloudflare, and Google who reported this vulnerability under Coordinated Vulnerability Disclosure (CVD). We also want to thank the partners in the open-source community that worked with the Microsoft Security Response Center (MSRC) to develop fixes and help keep Microsoft customers safe.

References

• Application DDoS protection - Azure Web Application Firewall | Microsoft Learn
• DDoS protection on Azure Front Door | Microsoft Learn
• 2022 in review: DDoS attack trends and insights | Microsoft Security Blog
• Joint CISA FBI MS-ISAC Guide on Responding to DDoS Attacks and DDoS Guidance for Federal Agencies | CISA