4

I can't find anything about this on the apache site, so I've disabled http/2 as a precaution. Any information how to secure Apache2 against this?

craigmj
  • 143

1 Answers1

6

Found this in github,

CVE-2023-44487 HTTP/2 'Rapid Reset' {#CVE-2023-44487}

Apache HTTP Server is not impacted by the problem described in CVE-2023-44487: the long-standing measures we have in place to limit excessive load from clients are effective in this scenario. The attack described will cause extra CPU usage on your Apache HTTP Server process, but not impact any backends.

As an extra mitigation, if you upgrade the libnghttp2 dependency of mod_http2 to at least version 1.57.0 this will completely remove the impact from Rapid Reset exploits.

https://github.com/apache/httpd-site/pull/10/files/0ed0b409383b2ab17c8c04a59b6365c3a27a4920

If you have real time traffic monitoring you could monitor for unusual activity of rst_stream packets. It looks like that is one of the mitigations cloudflare performed https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ . Likewise, quoted from https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ , "To mitigate against the non-canceling variant of this attack, we recommend that HTTP/2 servers should close connections that exceed the concurrent stream limit. This can be either immediately or after some small number of repeat offenses." Tuning H2MaxSessionStreams could help as far as apache goes to limit the number of requests and memory usage within a single connection if the limit isn't already set.

philipenix
  • 159
  • 1
    Further details from the Apache HTTP Server project itself: https://github.com/icing/blog/blob/main/h2-rapid-reset.md – craigmj Oct 20 '23 at 13:02