How to fix CVE-2023-44487 – Step-by-Step Guide
CVE-2023-44487, known as the HTTP/2 Rapid Reset Attack, is a high-severity vulnerability (CVSS 7.5) published on October 10, 2023. It enables highly efficient DDoS attacks by exploiting a flaw in the HTTP/2 protocol's stream cancellation mechanism. This critical vulnerability affects virtually all HTTP/2 server implementations.
What is HTTP/2 Rapid Reset DDoS Attack?
The HTTP/2 Rapid Reset Attack leverages the protocol's stream cancellation (RST_STREAM) feature. An attacker repeatedly opens a new stream and immediately cancels it, without waiting for a response. This rapid sequence of stream creation and cancellation exhausts server resources, such as CPU and memory, leading to a denial of service with minimal attacker bandwidth.
Impact and Risks for your Infrastructure
This vulnerability enables attackers to launch massive DDoS attacks with unprecedented efficiency, using minimal resources. Businesses face severe service disruptions, reputational damage, and potential financial losses due to server unavailability. Infrastructure can be overwhelmed, leading to widespread outages across critical services.
Step-by-Step Mitigation Guide
To mitigate CVE-2023-44487, update your HTTP/2 server implementations immediately. Apply vendor-specific patches or upgrade to fixed versions, such as Nginx 1.25.3+ or nghttp2 1.57.0+. Verify the fix by checking your server's version and monitoring for unusual HTTP/2 traffic patterns or resource exhaustion after applying the updates.
- 1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
- 2Enable Cloudflare or CDN-level DDoS protection.
- 3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
- 4Implement rate limiting on HTTP/2 connections at the edge.
- 5Monitor for traffic spikes and RESET_STREAM frames.
- 6Consider disabling HTTP/2 on exposed endpoints if not required.