Announcement

Collapse
No announcement yet.

HTTP/2 "Rapid Reset" DDoS Attack Disclosed By Google, Cloudflare & AWS

Collapse
X
Collapse
 
  • Page of 3
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 template Next
  • #1

    HTTP/2 "Rapid Reset" DDoS Attack Disclosed By Google, Cloudflare & AWS

    Phoronix: HTTP/2 "Rapid Reset" DDoS Attack Disclosed By Google, Cloudflare & AWS

    Google, Cloudflare and AWS today disclosed a new zero-day vulnerability called the HTTP/2 Rapid Reset attack. This attack that is being seen in the real-world relies on a weakness in the HTTP2 protocol for carrying out "hyper volumetric" Distributed Denial of Service attacks...

    HTTP/2 "Rapid Reset" DDoS Attack Disclosed By Google, Cloudflare & AWS - Phoronix
    https://www.phoronix.com/news/HTTP2-Rapid-Reset-Attack
    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite
    Tags: None
  • #2
    nice!

    being a protocol bug, I suppose it affects all implementations, right?
    • Likes 2

    Comment

    • #3
      Originally posted by cynic View Post
      nice!

      being a protocol bug, I suppose it affects all implementations, right?
      Or implement rate limit on the webserver?
      • Likes 1

      Comment

      • #4
        Originally posted by S.Pam View Post

        Or implement rate limit on the webserver?
        yes, that's what I said: you have to implement rate limit (or any other protecion measure) on all "webservers", whatever "webserver" means.

        basically everything that is able to respond to http2 requests.
        just to name a few that I work with daily, nginx, httpd, caddy or the standard library http server in go.

        I think there are countless cases to fix.

        Comment

        • #5
          Originally posted by cynic View Post

          yes, that's what I said: you have to implement rate limit (or any other protecion measure) on all "webservers", whatever "webserver" means.

          basically everything that is able to respond to http2 requests.
          just to name a few that I work with daily, nginx, httpd, caddy or the standard library http server in go.

          I think there are countless cases to fix.
          On the other hand, besides dev environments and stress test setups, where do you run your servers without a rate limit?

          Comment

          • #6
            Originally posted by bug77 View Post

            On the other hand, besides dev environments and stress test setups, where do you run your servers without a rate limit?
            ask cloudfare, apparently I'm not alone

            in any case, I don't think that rate limiting is a solution for this attack (haven't read the nitty gritty details yet), or it won't be an issue.

            • Likes 2

            Comment

            • #7
              Originally posted by cynic View Post
              in any case, I don't think that rate limiting is a solution for this attack (haven't read the nitty gritty details yet), or it won't be an issue.
              I mean, the reset allows to have more open requests then otherwise allowed. So in a form, this circumvents a previous rate limit. So some new rate limiting should help. The question is, can this be done in an efficient way?
              • Likes 4

              Comment

              • #8
                Who would have expected that Google's abomination failed
                • Likes 5

                Comment

                • #9
                  Nginx has put out a statement where they mention that it is already possible and in fact not too hard to prevent resource exhaustion from this kind of attack via config settings. Also, they plan to release a patch tomorrow to improve its resilience. It does not look like end of the world :-)
                  • Likes 1

                  Comment

                  • #10
                    Is http2 about to be deprecated?
                    • Likes 2

                    Comment

                    Previous 1 2 3 template Next
                    Working...
                    X