CVE-2023-44487
HTTP/2 Rapid Reset — Record-Breaking DDoS Attack
Impact: HTTP/2 stream cancellation feature exploited to generate record-breaking DDoS attacks (398M RPS peak). A small botnet can overwhelm patched servers without a mitigation layer. Every internet-exposed HTTP/2 server without rate limiting is vulnerable to efficiency-amplified DDoS.
Step-by-Step Fix Runbook
# Nginx nginx -v # Vulnerable: < 1.25.3 # Apache apache2 -v # or httpd -v # Vulnerable: < 2.4.58 # Node.js node --version # Check nghttp2: node -e "console.log(process.versions.nghttp2)" # Vulnerable nghttp2: < 1.57.0 # Go HTTP servers: check Go version go version # Vulnerable Go: < 1.20.10, < 1.21.3 # Check if HTTP/2 is active curl -I --http2 https://yoursite.com 2>&1 | grep HTTP
# Ubuntu/Debian apt-get update && apt-get install --only-upgrade nginx nginx -v # Must show 1.25.3+ # Or compile from source with latest nghttp2 # Nginx mainline PPA: add-apt-repository ppa:nginx/stable apt-get update && apt-get install nginx # RHEL/CentOS — use Nginx official repo # nginx.org/packages/rhel/9/ # Test HTTP/2 after upgrade nginx -t && systemctl reload nginx curl --http2 -I https://yoursite.com
# nginx.conf — http block
http {
# Limit concurrent HTTP/2 streams per connection
http2_max_concurrent_streams 128; # Default 128, reduce for protection
# Limit connections per IP
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
limit_conn conn_limit 100;
# Request rate limiting
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=100r/s;
limit_req zone=req_limit burst=200 nodelay;
# Keepalive timeout
keepalive_timeout 65;
keepalive_requests 1000;
}
server {
limit_conn conn_limit 50; # Per server block
}# Cloudflare — enable DDoS protection # Dashboard → Security → DDoS → Customize DDoS Protection # Specific HTTP/2 Rapid Reset mitigation: # Cloudflare automatically blocked this attack during Oct 2023 record attack # Enable "Under Attack" mode temporarily if under active attack # CloudFront (AWS) — enable AWS Shield aws shield create-protection --name "HTTP2RapidResetProtection" --resource-arn "arn:aws:cloudfront::123456789:distribution/ABCDEF" # Or use HAProxy with h2-max-concurrent-streams # haproxy.cfg: # tune.http.maxhdr 100 # option http-server-close
# Nginx access log — look for RESET_STREAM pattern
# Indicators: thousands of requests from same IP, rapid connections
tail -f /var/log/nginx/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
# Check for unusually high request rates
awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head -10
# Alert: >1000 requests/minute from single IP
# Set up fail2ban for HTTP flood
# /etc/fail2ban/filter.d/nginx-req-limit.conf:
# [Definition]
# failregex = ^<HOST>.*"(GET|POST)
# ignoreregex =Frequently Asked Questions
How does the HTTP/2 Rapid Reset attack work?
HTTP/2 allows multiplexing many streams over a single connection. Attackers open a stream with a request, then immediately send RST_STREAM to cancel it — then repeat thousands of times per second. Servers process each request setup before seeing the reset, consuming CPU for work that yields no response. A small number of attacker connections can overwhelm servers with this technique, as demonstrated in the record-breaking 398 million RPS attack in October 2023.
Was this the largest DDoS attack ever recorded?
At time of disclosure (October 2023), yes. Google blocked 398 million requests per second using CVE-2023-44487, Cloudflare blocked 201 million RPS, and AWS blocked 155 million RPS — all in August-October 2023. These were orders of magnitude larger than previous DDoS records. The attacks used only ~20,000 machines, demonstrating the attack's extreme efficiency.
Can I disable HTTP/2 as a mitigation?
Yes — disabling HTTP/2 eliminates the attack vector entirely. In nginx: remove 'http2' from the listen directive (listen 443 ssl; instead of listen 443 ssl http2;). Performance trade-off: HTTP/2 provides significant performance benefits (multiplexing, header compression). Disabling it should be a temporary measure while patching. After patching to nginx 1.25.3+/Apache 2.4.58+, re-enable HTTP/2.
Are self-hosted applications particularly at risk?
Self-hosted applications without a CDN/DDoS protection layer in front are at highest risk — they receive raw internet traffic directly. If you self-host with nginx/Apache/Node.js directly exposed to the internet without Cloudflare, AWS Shield, or similar: 1) Apply patches immediately. 2) Configure http2_max_concurrent_streams. 3) Enable connection rate limiting. 4) Consider adding Cloudflare proxy (free tier includes DDoS protection) in front of your origin.