Share
## https://sploitus.com/exploit?id=F94D5BB8-9B74-5F23-B7A1-600FDAA168CD
# CVE-2023-44487 โ HTTP/2 Rapid Reset Test Lab
Educational environment for LTAT.04.022 Homework 4.
Four containers let you scan and compare vulnerable vs. patched configurations.
---
## Port Map
| Container | Port | Software | Status |
|----------------|-------|-----------------|-------------|
| nginx-vuln | 8441 | nginx 1.24 | Vulnerable |
| nginx-secure | 8442 | nginx latest | Patched |
| apache-vuln | 8443 | Apache 2.4.57 | Vulnerable |
| apache-secure | 8444 | Apache latest | Patched |
---
## 1. Setup
```bash
# Generate self-signed TLS certs (required by all containers)
bash gen-certs.sh
# Start all 4 containers
docker compose up -d
# Verify all are running
docker compose ps
```
---
## 2. Basic Connectivity Test
```bash
# Check each container responds (ignore cert warning with -k)
curl -k --http2 -I https://localhost:8441 # nginx vulnerable
curl -k --http2 -I https://localhost:8442 # nginx secure
curl -k --http2 -I https://localhost:8443 # apache vulnerable
curl -k --http2 -I https://localhost:8444 # apache secure
```
Expected: `HTTP/2 200` from all four.
---
## 3. Confirm HTTP/2 is Active
```bash
curl -k --http2 -v https://localhost:8441 2>&1 | grep -E "ALPN|HTTP/"
```
Look for:
```
* ALPN: server accepted h2
&1 | grep "MAX_CONCURRENT" | tail -1 | awk -F: '{print $2}' | tr -d ']')
echo "port $port โ MAX_CONCURRENT_STREAMS: $streams"
done
# (Results)
port 8441 โ MAX_CONCURRENT_STREAMS: 128
port 8442 โ MAX_CONCURRENT_STREAMS: 32
port 8443 โ MAX_CONCURRENT_STREAMS: 1000
port 8444 โ MAX_CONCURRENT_STREAMS: 32
```
Vulnerable server: high stream limit (128+)
Secure server: limited to 32
---
## 6. Simulate Rapid Reset Pressure (Safe, Local Only)
This sends 50 requests rapidly on one connection โ not a real attack,
but shows the server's RST handling behavior in logs.
```bash
# h2load is part of nghttp2-client
h2load -n 1000 -c 1 -m 50 https://localhost:8441 # vuln
h2load -n 1000 -c 1 -m 50 https://localhost:8442 # secure
```
Expected logs for examples:
```bash
$ h2load -n 1000 -c 1 -m 1000 https://localhost:8441
starting benchmark...
spawning thread #0: 1 total client(s). 1000 total requests
TLS Protocol: TLSv1.3
Cipher: TLS_AES_256_GCM_SHA384
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done
finished in 22.51ms, 44428.65 req/s, 5.38MB/s
requests: 1000 total, 1000 started, 1000 done, 1000 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 1000 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 124.07KB (127049) total, 83.01KB (85000) headers (space savings 38.85%), 23.44KB (24000) data
min max mean sd +/- sd
time for request: 260us 2.98ms 2.25ms 384us 87.70%
time for connect: 2.51ms 2.51ms 2.51ms 0us 100.00%
time to 1st byte: 3.24ms 3.24ms 3.24ms 0us 100.00%
req/s : 45059.11 45059.11 45059.11 0.00 100.00%
$ h2load -n 1000 -c 1 -m 1000 https://localhost:8442
starting benchmark...
spawning thread #0: 1 total client(s). 1000 total requests
TLS Protocol: TLSv1.3
Cipher: TLS_AES_256_GCM_SHA384
Server Temp Key: X25519 253 bits
Application protocol: h2
progress: 10% done
finished in 5.38ms, 18583.91 req/s, 2.33MB/s
requests: 1000 total, 1000 started, 167 done, 100 succeeded, 900 failed, 900 errored, 0 timeout
status codes: 100 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 12.83KB (13134) total, 8.30KB (8500) headers (space savings 38.85%), 2.25KB (2300) data
min max mean sd +/- sd
time for request: 83us 1.04ms 533us 256us 63.00%
time for connect: 2.96ms 2.96ms 2.96ms 0us 100.00%
time to 1st byte: 3.55ms 3.55ms 3.55ms 0us 100.00%
req/s : 19316.22 19316.22 19316.22 0.00 100.00%
```
The secure container will show connection resets or refusals when the
stream limit is hit; the vulnerable one will accept all 50 without complaint.
---
## 7. Compare Server Headers
```bash
# Vulnerable servers expose version info
curl -k -I https://localhost:8441 2>/dev/null | grep -i server
curl -k -I https://localhost:8443 2>/dev/null | grep -i server
# Secure servers hide or minimize version info
curl -k -I https://localhost:8442 2>/dev/null | grep -i server
curl -k -I https://localhost:8444 2>/dev/null | grep -i server
```
---
## 8. Teardown
```bash
docker compose down
```
---
## What the Configs Change (Summary)
### nginx
| Setting | Vulnerable (1.24) | Secure (1.25.3+) |
|--------------------------------|-------------------|------------------|
| `http2_max_concurrent_streams` | 128 (default) | 32 |
| `keepalive_requests` | 10000 | 100 |
| `keepalive_timeout` | 300s | 65s |
| RST_STREAM rate guard | None | Built into patch |
### Apache
| Setting | Vulnerable (2.4.57) | Secure (2.4.58+) |
|-----------------------|---------------------|------------------|
| `H2MaxSessionStreams` | 1000 | 32 |
| `ServerTokens` | Full | Prod |
| Reset guard patch | Not present | Applied |
---
## References
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-44487
- Cloudflare Report: https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- Google Report: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
- CISA Advisory: https://www.cisa.gov/news-events/alerts/2023/10/10/http2-rapid-reset-vulnerability-cve-2023-44487