CVE-2023-44487: Distributed Denial of Service (DDoS) Attacks against HTTP/2 #3947
Description
###Summary
Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan. Microsoft recommends customers follow the guidance provided in this blog to ensure your services are hardened and protected against this DDoS attack technique.
This DDoS attack, known as ‘HTTP/2 Rapid Reset’, leverages a flaw in the implementation of HTTP/2. Microsoft promptly created mitigations for IIS (HTTP.sys), .NET (Kestrel), and Windows, which were part of Microsoft Security Updates released on Oct 10th, 2023.
While this DDoS has the potential to impact service availability, it alone does not lead to the compromise of customer data, and at this time we have seen no evidence of customer data being compromised.
Attack Details
This HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.
Am I vulnerable?
All AKS supported versions will be hotfixed. Please upgrade your cluster to a supported version to receive the patch.
If you are running a Public AKS cluster or have public endpoints for the cluster or your applications, you could be vulnerable.
If your AKS node is running a Windows VHD older than 231007 your node will be vulnerable.
Azure Linux and Ubuntu 22.04 are not vulnerable.
AKS Information:
To enhance the security of your public AKS cluster and reduce the risk of exploitation, you are advised to restrict the allowed IP address ranges that can connect to the API server. This can be accomplished by utilizing the API server authorized IP range feature. Furthermore, you are advised to create private clusters to ensure that network traffic exclusively traverses the private network between your API server and node pools, enhancing overall security.
Update your Windows 2019 node image to at least 17763.4974.231007 to remediate this vulnerability.
Update your Windows 2022 node image to at least 20348.2031.231007 to remediate this vulnerability.
Update your Windows 2022-gen2 node image to at least 20348.2031.231007 to remediate this vulnerability.