[HN Gopher] HTTP/2 rapid reset attack impacting Nginx products
___________________________________________________________________
HTTP/2 rapid reset attack impacting Nginx products
Author : 120bits
Score : 81 points
Date : 2023-10-12 19:04 UTC (1 hours ago)
(HTM) web link (www.nginx.com)
(TXT) w3m dump (www.nginx.com)
| dang wrote:
| Related. Others?
|
| _HAProxy is not affected by the HTTP /2 Rapid Reset Attack_ -
| https://news.ycombinator.com/item?id=37837043 - Oct 2023 (31
| comments)
|
| _The largest DDoS attack to date, peaking above 398M rps_ -
| https://news.ycombinator.com/item?id=37831062 - Oct 2023 (461
| comments)
|
| _HTTP /2 Rapid Reset: deconstructing the record-breaking attack_
| - https://news.ycombinator.com/item?id=37831004 - Oct 2023 (22
| comments)
|
| _HTTP /2 zero-day vulnerability results in record-breaking DDoS
| attacks_ - https://news.ycombinator.com/item?id=37830998 - Oct
| 2023 (69 comments)
|
| _The novel HTTP /2 'Rapid Reset' DDoS attack_ -
| https://news.ycombinator.com/item?id=37830987 - Oct 2023 (103
| comments)
| rewmie wrote:
| Thanks for the helpful summary. It does wonder to provide
| context to such an important topic.
| tialaramex wrote:
| It's been interesting to see who is affected and who isn't and
| their rationale.
| codetrotter wrote:
| Hehe, when I heard about the attack a couple of days ago I was
| interested to know if Nginx was affected and did a search on
| Google for the CVE of that attack followed by the name of Nginx.
|
| I didn't find anything relevant so I assumed that Nginx was not
| affected.
|
| Turns out that was not a good assumption :p
| herpderperator wrote:
| If you read the article, you'll see that the default
| configuration is not affected.
| codetrotter wrote:
| I know. But not everyone uses the default configuration.
| ahoka wrote:
| I immediately thought I'm happy not having to operate anything
| with nginx in front of it.
| sickofparadox wrote:
| Important to note that unless your Nginx instance has a special
| (read: very high) keepalive limit configured, Nginx has a fairly
| reasonable defense against HTTP/2 rapid reset attack by default,
| as the article says. Still, interesting to see the response to
| these attacks.
| ChrisArchitect wrote:
| Why the submission OP?
|
| Lots of discussion and submissions related to this over the last
| few days, not to mention this submitted 2 days ago
| eastdakota wrote:
| From some first-hand experience over the last few months... these
| suggestions and patch will help prevent a single client from
| overwhelming an NGINX server, but it will do little to stop even
| a modest botnet from generating enough requests to be a problem.
| Keeping some state on IPs and downgrading those that exceed
| limits to HTTP/1.1 I believe is the only effective defense.
| Tuning those thresholds to get them right is... challenging.
___________________________________________________________________
(page generated 2023-10-12 21:00 UTC)