This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.
Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.
- CVE-2023-44487, CIRCL CVE Search
- How AWS protects customers from DDoS events, AWS
- How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack, Google
- HTTP/2 Rapid Reset: deconstructing the record-breaking attack, Cloudflare
- Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2, Microsoft
- Potential mention of a similar issue in 2018 concerning HAproxy
- RFC7540 - Hypertext Transfer Protocol Version 2 (HTTP/2)
- Security Advisory 2023-074 HTTP/2 Rapid Reset DDoS Vulnerability, CERT-EU
- HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487, CISA
- Using HTTP/3 Stream Limits in HTTP/2 - IETF draft to backport the HTTP/3 steam limits in HTTP/2
- Apache Tomcat - Fixed in 8.5.94
- AWS
- F5
- Golang
- HAPROXY - HAProxy is not affected by the HTTP/2 Rapid Reset Attack
- Kong
- Microsoft IIS
- Microsoft MsQuic - Fixed in 2.2.3
- Netscaler
- Nginx
- nghttp2 library - Fixed in 1.57.0
echo 1 | openssl s_client -alpn h2 -connect google.com:443 -status 2>&1 | grep "ALPN"
nmap -p 443 --script=tls-nextprotoneg www.google.com
curl -Is --http2-prior-knowledge https://example.com/| head -1
- Basic vulnerability scanning tool to see if web servers may be vulnerable to CVE-2023-44487
- Rapid Reset Client is a tool for testing mitigations and exposure to CVE-2023-44487 (Rapid Reset DDoS attack vector)
-
Disabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:
keepalive_requests
should be kept at the default setting of 1000 requestshttp2_max_concurrent_streams
should be kept at the default setting of 128 streamslimit_conn
andlimit_req
should be set "with a reasonable setting balancing application performance and security"
- Remove reference to
http2
in the listening part
Web apps that are behind the following DDoS protection providers / CDNs should not be impacted:
- AWS
- Cloudflare
- Google Cloud
- Microsoft Azure
@secengjeff Thank you. It's included.