How to fix CVE-2023-44487 – Step-by-Step Guide
CVE-2023-44487, known as the HTTP/2 Rapid Reset DDoS Attack, is a critical vulnerability affecting nearly all HTTP/2 server implementations. Published on October 10, 2023, this high-severity flaw enables highly efficient denial-of-service attacks. It requires immediate attention from system administrators.
What is HTTP/2 Rapid Reset DDoS Attack?
The HTTP/2 Rapid Reset Attack leverages a flaw in the protocol's stream cancellation mechanism. Attackers send a stream request, immediately cancel it, and repeat this process thousands of times within a single TCP connection. This rapid succession of requests and cancellations exhausts server resources, leading to a denial of service.
Impact and Risks for your Infrastructure
This vulnerability allows attackers to launch massive DDoS attacks with minimal resources, potentially taking down critical services and infrastructure. Businesses face significant operational disruption, revenue loss, and reputational damage due to service unavailability. It poses a severe threat to any internet-facing HTTP/2 service.
Step-by-Step Mitigation Guide
To mitigate CVE-2023-44487, update your HTTP/2 server implementations to the latest patched versions. For Nginx, upgrade to 1.25.3+ or 1.24.0+. Ensure all affected components like nghttp2 are updated to 1.57.0+. Verify the fix by checking your server logs for unusual rapid reset patterns after applying patches. Consult vendor advisories for specific instructions.
- 1Update nginx to 1.25.3+, Apache to 2.4.58+, and apply all vendor patches.
- 2Enable Cloudflare or CDN-level DDoS protection.
- 3Set http2_max_concurrent_streams to a low value (e.g., 128) in nginx.
- 4Implement rate limiting on HTTP/2 connections at the edge.
- 5Monitor for traffic spikes and RESET_STREAM frames.
- 6Consider disabling HTTP/2 on exposed endpoints if not required.