How to fix CVE-2023-44487 – Step-by-Step Guide
CVE-2023-44487, known as the HTTP/2 Rapid Reset DDoS Attack, is a high-severity vulnerability (CVSS 7.5) published on October 10, 2023. It enables highly efficient denial-of-service attacks by exploiting a flaw in the HTTP/2 protocol's stream cancellation feature. This critical vulnerability affects virtually all HTTP/2 server implementations.
What is HTTP/2 Rapid Reset DDoS Attack?
The HTTP/2 Rapid Reset attack leverages the protocol's stream cancellation mechanism (RST_STREAM frames). An attacker repeatedly opens a new stream and immediately cancels it, without waiting for a response. This rapid sequence of requests and cancellations exhausts server resources, such as CPU and memory, leading to a denial of service with minimal attacker bandwidth.
Impact and Risks for your Infrastructure
This vulnerability allows attackers to launch highly efficient DDoS attacks, overwhelming critical infrastructure with minimal resources. Businesses face severe service disruptions, reputational damage, and potential financial losses due to inaccessible services. It can lead to complete unavailability of web applications and APIs.
Step-by-Step Mitigation Guide
To mitigate CVE-2023-44487, update your HTTP/2 server software to the latest patched versions immediately. For Nginx, upgrade to 1.25.3+ or 1.24.0+. Other vendors like Apache, Node.js, and cloud providers have released specific patches; consult their advisories. Verify the fix by checking your server version and monitoring for unusual HTTP/2 traffic patterns.
- 1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
- 2Enable Cloudflare or CDN-level DDoS protection.
- 3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
- 4Implement rate limiting on HTTP/2 connections at the edge.
- 5Monitor for traffic spikes and RESET_STREAM frames.
- 6Consider disabling HTTP/2 on exposed endpoints if not required.