This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.
Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.
- CVE-2023-44487, CIRCL CVE Search
- How AWS protects customers from DDoS events, AWS
- How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack, Google
- HTTP/2 Rapid Reset: deconstructing the record-breaking attack, Cloudflare
- Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2, Microsoft
- Potential mention of a similar issue in 2018 concerning HAproxy
- RFC7540 - Hypertext Transfer Protocol Version 2 (HTTP/2)
- Security Advisory 2023-074 HTTP/2 Rapid Reset DDoS Vulnerability, CERT-EU
- HTTP/2 Rapid Reset Vulnerability, CVE-2023-44487, CISA
- Using HTTP/3 Stream Limits in HTTP/2 - IETF draft to backport the HTTP/3 steam limits in HTTP/2
- Apache Tomcat - Fixed in 8.5.94
- AWS
- F5
- Golang
- HAPROXY - HAProxy is not affected by the HTTP/2 Rapid Reset Attack
- Kong
- Microsoft IIS
- Microsoft MsQuic - Fixed in 2.2.3
- Netscaler
- Nginx
- nghttp2 library - Fixed in 1.57.0
echo 1 | openssl s_client -alpn h2 -connect google.com:443 -status 2>&1 | grep "ALPN"
nmap -p 443 --script=tls-nextprotoneg www.google.com
curl -Is --http2-prior-knowledge https://example.com/| head -1
- Basic vulnerability scanning tool to see if web servers may be vulnerable to CVE-2023-44487
- Rapid Reset Client is a tool for testing mitigations and exposure to CVE-2023-44487 (Rapid Reset DDoS attack vector)
-
Disabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:
keepalive_requests
should be kept at the default setting of 1000 requestshttp2_max_concurrent_streams
should be kept at the default setting of 128 streamslimit_conn
andlimit_req
should be set "with a reasonable setting balancing application performance and security"
- Remove reference to
http2
in the listening part
Web apps that are behind the following DDoS protection providers / CDNs should not be impacted:
- AWS
- Cloudflare
- Google Cloud
- Microsoft Azure
Hello, besides this information is there any public datasets related to this attacks? Im currently doing research about the topic and would be very useful to check traffic generated by this kind of attack. Thank you in advance.