Demo for detection and mitigation of HTTP/2 Rapid Reset vulnerability (CVE-2023-44487)# ⚡ CVE-2023-44487 Demo – HTTP/2 Rapid Reset Attack
This project demonstrates the HTTP/2 "Rapid Reset" vulnerability (CVE-2023-44487) that allows attackers to overwhelm servers using RST_STREAM frames, causing denial-of-service (DoS). It includes:
- ✅ Exploit test using Golang-based tool
- ✅ Vulnerable Apache HTTP/2 setup via Docker
- ✅ Real-time monitoring with Webmin
- ✅ Firewall-based mitigation with IPTables
---
## 📁 Folder Structure
- [`Setup/setup_guide.md`](Setup/setup_guide.md) – Environment setup (attacker & victim)
- [`Detection/webmin_monitoring.md`](Detection/webmin_monitoring.md) – Monitoring with Webmin
- [`Mitigation/iptables.md`](Mitigation/iptables.md) – Firewall rule to stop the attack
- [`Images/`](Images/)
- `webmin_spike.png`
- `webmin_cpu.png`
- `apache_log.png`
- `README.md`
---
## ⚙️ Setup Instructions
📄 View full setup guide here:
[`Setup/setup_guide.md`](Setup/setup_guide.md)
It includes:
- Cloning the original exploit repo
- Building the Golang tool
- Running the vulnerable Apache HTTP/2 container
- Installing and accessing Webmin
---
## 🕵️ Detection (Webmin Monitoring)
📝 **Guide**: Detection/webmin_monitoring.md
### 📸 Screenshots
Images/webmin_spike.png ← CPU spike during attack
Images/webmin_cpu.png ← Webmin CPU monitor
Images/apache_log.png ← Apache access logs
These visuals confirm that the exploit successfully triggers load and logs corresponding request activity.
---
## 🛡️ Mitigation (IPTables Firewall Rules)
📄 See: [`Mitigation/iptables.md`](Mitigation/iptables.md)
Highlights:
- Uses `hashlimit` to rate-limit connections per IP
- Drops excess HTTP/2 requests
- Protects the server from resource exhaustion
---
## Credits
This demo is based on [PatrickTulskie's `reset-rabbit`](https://github.com/PatrickTulskie/reset-rabbit), extended with:
- 🛠️ Step-by-step setup & detection documentation
- 📊 Visual proof of DoS using Webmin
- 🔐 Custom IPTables rules to mitigate the attack
Created for educational use under controlled lab conditions.
---
## 📚 References
- [CVE-2023-44487 – NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-44487)
- [Google Cloud – Rapid Reset Blog](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack)
- [Cloudflare: HTTP/2 vs HTTP/1.1](https://www.cloudflare.com/learning/performance/http2-vs-http1.1/)
- [Vicarius Security Blog. (2024)](https://www.vicarius.io/vsociety/posts/rapid-reset-cve-2023-44487-dos-in-http2-understanding-the-root-cause)
---
Created by **Harshitha Sha** ❤️
[4.0K] /data/pocs/ecdf3f11b07efb19649f39b85b40bd2c0d933223
├── [4.0K] Detection
│ └── [ 910] webmin_monitoring.md
├── [1.4K] dockerfile
├── [ 412] gitignore
├── [ 121] go.mod
├── [ 421] go.sum
├── [4.0K] Images
│ ├── [387K] apache_log.png
│ ├── [186K] webmin_cpu.png
│ └── [343K] webmin_spike.png
├── [4.0K] Mitigation
│ └── [ 537] iptables.md
├── [2.6K] README.md
├── [5.0K] reset-rabbit-research.go
└── [4.0K] Setup
└── [1.2K] setup_guide.md
4 directories, 12 files