Home

Published

- 2 min read

Let's Defend - HTTP/2 rapid/ Reset

DFIR writeup Digital Forensics CVE-2023-44487 Lets defend Logs Pcap
img of Let's Defend - HTTP/2 rapid/ Reset

Description

We are hosting a gallery website for public arts, we faced slowness issues however our deployment team decided to utilize HTTP/2 as when scrolling a webpage with multiple images, a web browser can cancel images that fall outside the viewport, meaning that images entering it can load faster. Everything went smoothly in our testing environment but after going live with the new protocol suddenly everything stopped working. We were able to capture the traffic from the web server, can you help us to figure out what happened?

Tools

Tools Required
1- Wiresahrk

Writeup

Q1

What specific technique does the attacker employ in conducting traffic analysis?

T1499

In packets number 15 and 17, a large number of requests were observed using HEADERS and RST_STREAM frames.

Q2

What is the full request sent?

https://127.0.0.1:4433/foo

../../assets/images/DFIR/letsdefend/rapid/image7.png

Q3

Which cipher type is utilized in the TLS packets transmitted by the server?

TLS_AES_256_GCM_SHA384

In packet number 6 or 9, we observed the use of TLSv1.3.

../../assets/images/DFIR/letsdefend/rapid/image1.png

Q4

What is the tool name of the server hosting library being employed?

nghttpd

In packet number 16, we observed the use of the server nghttpd nghttp2/1.57.0-DEV. After conducting a search, it was found that nghttp2 is an open-source implementation of the HTTP/2 protocol in the C programming language.

Q5

Which protocols does the server support?

h2,h2-16,h2-14,http/1.1

By using github link we found This endpoint supports h2, h2-16, h2-14, and http/1.1 via ALPN/NPN and requires TLSv1.2 for HTTP/2 connection.

Or search by ALPN

../../assets/images/DFIR/letsdefend/rapid/image3.png

Q6

Which specific frame in the HTTP/2 protocol is accountable for triggering this attack?

RST_STREAM

Upon analyzing all requests, a significant number of RST_STREAM frames were observed. By using HTTP/2 statistics, it was found that there were 1000 requests.

Q7

What is the status code returned by the server in its response?

404

In packet number 16, the information field indicates a response of “404 Not Found.” Further investigation can provide additional details.

../../assets/images/DFIR/letsdefend/rapid/image5.png

Q8

What value enables the client to generate a high request rate by churning requests?

Max concurrent streams

Brief: In packet number 14, the SETTING[0] frame provides information related to this value.

../../assets/images/DFIR/letsdefend/rapid/image6.png

Q9

How many requests were made in total?

2008

By checking the statistics or HTTP2, the total number of requests can be determined.

Statistics -> HTTP2

../../assets/images/DFIR/letsdefend/rapid/image2.png

Q10

Which frame is responsible for closing the connection?

GOAWAY

I saw GOAWAY frame this frame responsible for closing the connection in packet num 17 go on the last request

../../assets/images/DFIR/letsdefend/rapid/image4.png