Share
## https://sploitus.com/exploit?id=F94D5BB8-9B74-5F23-B7A1-600FDAA168CD
# CVE-2023-44487 โ€” HTTP/2 Rapid Reset Test Lab

Educational environment for LTAT.04.022 Homework 4.  
Four containers let you scan and compare vulnerable vs. patched configurations.

---

## Port Map

| Container      | Port  | Software        | Status      |
|----------------|-------|-----------------|-------------|
| nginx-vuln     | 8441  | nginx 1.24      | Vulnerable  |
| nginx-secure   | 8442  | nginx latest    | Patched     |
| apache-vuln    | 8443  | Apache 2.4.57   | Vulnerable  |
| apache-secure  | 8444  | Apache latest   | Patched     |

---

## 1. Setup

```bash
# Generate self-signed TLS certs (required by all containers)
bash gen-certs.sh

# Start all 4 containers
docker compose up -d

# Verify all are running
docker compose ps
```

---

## 2. Basic Connectivity Test

```bash
# Check each container responds (ignore cert warning with -k)
curl -k --http2 -I https://localhost:8441   # nginx vulnerable
curl -k --http2 -I https://localhost:8442   # nginx secure
curl -k --http2 -I https://localhost:8443   # apache vulnerable
curl -k --http2 -I https://localhost:8444   # apache secure
```

Expected: `HTTP/2 200` from all four.

---

## 3. Confirm HTTP/2 is Active

```bash
curl -k --http2 -v https://localhost:8441 2>&1 | grep -E "ALPN|HTTP/"
```

Look for:
```
* ALPN: server accepted h2
&1 | grep "MAX_CONCURRENT" | tail -1 | awk -F: '{print $2}' | tr -d ']')
  echo "port $port โ†’ MAX_CONCURRENT_STREAMS: $streams"
done

# (Results)
port 8441 โ†’ MAX_CONCURRENT_STREAMS: 128
port 8442 โ†’ MAX_CONCURRENT_STREAMS: 32
port 8443 โ†’ MAX_CONCURRENT_STREAMS: 1000
port 8444 โ†’ MAX_CONCURRENT_STREAMS: 32
```

Vulnerable server: high stream limit (128+)  
Secure server: limited to 32

---

## 6. Simulate Rapid Reset Pressure (Safe, Local Only)

This sends 50 requests rapidly on one connection โ€” not a real attack,
but shows the server's RST handling behavior in logs.

```bash
# h2load is part of nghttp2-client
h2load -n 1000 -c 1 -m 50 https://localhost:8441   # vuln
h2load -n 1000 -c 1 -m 50 https://localhost:8442   # secure
```

Expected logs for examples:

```bash
$ h2load -n 1000 -c 1 -m 1000 https://localhost:8441
starting benchmark...
spawning thread #0: 1 total client(s). 1000 total requests
TLS Protocol: TLSv1.3
Cipher: TLS_AES_256_GCM_SHA384
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 22.51ms, 44428.65 req/s, 5.38MB/s
requests: 1000 total, 1000 started, 1000 done, 1000 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1000 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 124.07KB (127049) total, 83.01KB (85000) headers (space savings 38.85%), 23.44KB (24000) data
                     min         max         mean         sd        +/- sd
time for request:      260us      2.98ms      2.25ms       384us    87.70%
time for connect:     2.51ms      2.51ms      2.51ms         0us   100.00%
time to 1st byte:     3.24ms      3.24ms      3.24ms         0us   100.00%
req/s           :   45059.11    45059.11    45059.11        0.00   100.00%

$ h2load -n 1000 -c 1 -m 1000 https://localhost:8442
starting benchmark...
spawning thread #0: 1 total client(s). 1000 total requests
TLS Protocol: TLSv1.3
Cipher: TLS_AES_256_GCM_SHA384
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 10% done

finished in 5.38ms, 18583.91 req/s, 2.33MB/s
requests: 1000 total, 1000 started, 167 done, 100 succeeded, 900 failed, 900 errored, 0 timeout
status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 12.83KB (13134) total, 8.30KB (8500) headers (space savings 38.85%), 2.25KB (2300) data
                     min         max         mean         sd        +/- sd
time for request:       83us      1.04ms       533us       256us    63.00%
time for connect:     2.96ms      2.96ms      2.96ms         0us   100.00%
time to 1st byte:     3.55ms      3.55ms      3.55ms         0us   100.00%
req/s           :   19316.22    19316.22    19316.22        0.00   100.00%
```

The secure container will show connection resets or refusals when the
stream limit is hit; the vulnerable one will accept all 50 without complaint.

---

## 7. Compare Server Headers

```bash
# Vulnerable servers expose version info
curl -k -I https://localhost:8441 2>/dev/null | grep -i server
curl -k -I https://localhost:8443 2>/dev/null | grep -i server

# Secure servers hide or minimize version info
curl -k -I https://localhost:8442 2>/dev/null | grep -i server
curl -k -I https://localhost:8444 2>/dev/null | grep -i server
```

---

## 8. Teardown

```bash
docker compose down
```

---

## What the Configs Change (Summary)

### nginx

| Setting                        | Vulnerable (1.24) | Secure (1.25.3+) |
|--------------------------------|-------------------|------------------|
| `http2_max_concurrent_streams` | 128 (default)     | 32               |
| `keepalive_requests`           | 10000             | 100              |
| `keepalive_timeout`            | 300s              | 65s              |
| RST_STREAM rate guard          | None              | Built into patch |

### Apache

| Setting               | Vulnerable (2.4.57) | Secure (2.4.58+) |
|-----------------------|---------------------|------------------|
| `H2MaxSessionStreams`  | 1000                | 32               |
| `ServerTokens`        | Full                | Prod             |
| Reset guard patch     | Not present         | Applied          |

---

## References

- NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
- Cloudflare Report: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- Google Report: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- CISA Advisory: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487