Skip to content

Instantly share code, notes, and snippets.

@adulau
Last active June 27, 2024 16:52
Show Gist options
  • Save adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088 to your computer and use it in GitHub Desktop.
Save adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088 to your computer and use it in GitHub Desktop.
HTTP/2 Rapid Reset DDoS Attack

Introduction

This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.

Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.

References

Vendor advisories and statements

Testing if HTTP/2 is enabled

OpenSSL

echo 1 | openssl s_client -alpn h2 -connect google.com:443 -status 2>&1  | grep "ALPN"

Nmap

nmap -p 443 --script=tls-nextprotoneg www.google.com

curl

curl -Is --http2-prior-knowledge https://example.com/| head -1

Testing if it's vulnerable (use at your own risk)

Potential remediation

NGINX

can be configured to mitigate the vulnerability

  • Disabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:

    • keepalive_requests should be kept at the default setting of 1000 requests
    • http2_max_concurrent_streams should be kept at the default setting of 128 streams
    • limit_conn and limit_req should be set "with a reasonable setting balancing application performance and security"

If you want to remove http2 support

  • Remove reference to http2 in the listening part

DDoS protection / CDNs

Web apps that are behind the following DDoS protection providers / CDNs should not be impacted:

  • AWS
  • Cloudflare
  • Google Cloud
  • Microsoft Azure
@shblue21
Copy link

shblue21 commented Jan 3, 2024

Thanks you for docs. it's lightspeed rapid reset blog.
https://blog.litespeedtech.com/2023/10/11/rapid-reset-http-2-vulnerablilty/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment