How to fix CVE-2023-44487 – Step-by-Step Guide
CVE-2023-44487, known as the HTTP/2 Rapid Reset Attack, is a high-severity vulnerability published on October 10, 2023. This critical flaw enables highly efficient Distributed Denial of Service (DDoS) attacks against virtually all HTTP/2 server implementations. It leverages a design weakness to overwhelm servers with minimal resources.
What is HTTP/2 Rapid Reset DDoS Attack?
The HTTP/2 Rapid Reset Attack exploits a flaw in the HTTP/2 protocol's stream cancellation mechanism. Attackers repeatedly send requests and immediately cancel them, creating a massive backlog of work for the server without fully establishing connections. This rapid reset cycle exhausts server resources, leading to a denial of service.
Impact and Risks for your Infrastructure
This vulnerability allows attackers to launch extremely efficient DDoS attacks with minimal resources, potentially taking down critical services. Businesses face significant operational disruption, revenue loss, and reputational damage due to service unavailability. Infrastructure can be overwhelmed, leading to widespread outages and resource exhaustion.
Step-by-Step Mitigation Guide
To mitigate CVE-2023-44487, update all HTTP/2 server implementations to their latest patched versions. For Nginx, upgrade to 1.25.3+ or 1.24.0+. Other vendors like Apache, Node.js, Go, AWS, and Cloudflare have released specific patches; apply these immediately. Verify the fix by checking your server's version and monitoring for unusual HTTP/2 traffic patterns.
- 1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
- 2Enable Cloudflare or CDN-level DDoS protection.
- 3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
- 4Implement rate limiting on HTTP/2 connections at the edge.
- 5Monitor for traffic spikes and RESET_STREAM frames.
- 6Consider disabling HTTP/2 on exposed endpoints if not required.