How to fix CVE-2023-44487 – Step-by-Step Guide
CVE-2023-44487, known as the HTTP/2 Rapid Reset DDoS Attack, is a critical vulnerability affecting nearly all HTTP/2 server implementations. This high-severity flaw enables attackers to launch highly efficient denial-of-service attacks with minimal resources. Immediate patching is crucial to protect your infrastructure.
What is HTTP/2 Rapid Reset DDoS Attack?
The HTTP/2 Rapid Reset Attack exploits a flaw in the HTTP/2 protocol's stream cancellation feature. Attackers repeatedly send request streams and immediately cancel them, overwhelming server resources without completing full requests. This rapid reset cycle consumes server CPU and memory, leading to a denial of service.
Impact and Risks for your Infrastructure
This vulnerability allows attackers to launch extremely efficient DDoS attacks, causing significant service disruption and unavailability for affected applications. Servers can be overwhelmed with a fraction of normal traffic, leading to resource exhaustion and potential downtime. Businesses face reputational damage and financial losses due to service outages.
Step-by-Step Mitigation Guide
To mitigate CVE-2023-44487, update your HTTP/2 server implementations to the latest patched versions. For Nginx, upgrade to 1.25.3+ or 1.24.0+. For other vendors like Apache, Node.js, Go, AWS, and Cloudflare, apply their specific security updates. Verify the fix by confirming your server software versions are above the recommended patched levels.
- 1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
- 2Enable Cloudflare or CDN-level DDoS protection.
- 3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
- 4Implement rate limiting on HTTP/2 connections at the edge.
- 5Monitor for traffic spikes and RESET_STREAM frames.
- 6Consider disabling HTTP/2 on exposed endpoints if not required.