[HN Gopher] HTTP/2 rapid reset attack impacting Nginx products ___________________________________________________________________ HTTP/2 rapid reset attack impacting Nginx products Author : 120bits Score : 81 points Date : 2023-10-12 19:04 UTC (1 hours ago) (HTM) web link (www.nginx.com) (TXT) w3m dump (www.nginx.com) | dang wrote: | Related. Others? | | _HAProxy is not affected by the HTTP /2 Rapid Reset Attack_ - | https://news.ycombinator.com/item?id=37837043 - Oct 2023 (31 | comments) | | _The largest DDoS attack to date, peaking above 398M rps_ - | https://news.ycombinator.com/item?id=37831062 - Oct 2023 (461 | comments) | | _HTTP /2 Rapid Reset: deconstructing the record-breaking attack_ | - https://news.ycombinator.com/item?id=37831004 - Oct 2023 (22 | comments) | | _HTTP /2 zero-day vulnerability results in record-breaking DDoS | attacks_ - https://news.ycombinator.com/item?id=37830998 - Oct | 2023 (69 comments) | | _The novel HTTP /2 'Rapid Reset' DDoS attack_ - | https://news.ycombinator.com/item?id=37830987 - Oct 2023 (103 | comments) | rewmie wrote: | Thanks for the helpful summary. It does wonder to provide | context to such an important topic. | tialaramex wrote: | It's been interesting to see who is affected and who isn't and | their rationale. | codetrotter wrote: | Hehe, when I heard about the attack a couple of days ago I was | interested to know if Nginx was affected and did a search on | Google for the CVE of that attack followed by the name of Nginx. | | I didn't find anything relevant so I assumed that Nginx was not | affected. | | Turns out that was not a good assumption :p | herpderperator wrote: | If you read the article, you'll see that the default | configuration is not affected. | codetrotter wrote: | I know. But not everyone uses the default configuration. | ahoka wrote: | I immediately thought I'm happy not having to operate anything | with nginx in front of it. | sickofparadox wrote: | Important to note that unless your Nginx instance has a special | (read: very high) keepalive limit configured, Nginx has a fairly | reasonable defense against HTTP/2 rapid reset attack by default, | as the article says. Still, interesting to see the response to | these attacks. | ChrisArchitect wrote: | Why the submission OP? | | Lots of discussion and submissions related to this over the last | few days, not to mention this submitted 2 days ago | eastdakota wrote: | From some first-hand experience over the last few months... these | suggestions and patch will help prevent a single client from | overwhelming an NGINX server, but it will do little to stop even | a modest botnet from generating enough requests to be a problem. | Keeping some state on IPs and downgrading those that exceed | limits to HTTP/1.1 I believe is the only effective defense. | Tuning those thresholds to get them right is... challenging. ___________________________________________________________________ (page generated 2023-10-12 21:00 UTC)