Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
Topic: are we secure using http/2? |
|
Author |
|
mrdj1024
Joined: 03 Apr 2023 Posts: 55 Location: Bridgeton,NJ,USA
|
Posted: Mon 20 May '24 13:48 Post subject: are we secure using http/2? |
|
|
i came across this on my youtube list and it was posted 3 days ago,does this affect us using the apache builds?
https://www.youtube.com/watch?v=1ez0xzwl6Ds |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7374 Location: Germany, Next to Hamburg
|
Posted: Tue 21 May '24 9:47 Post subject: |
|
|
Apache HTTP Server is not impacted by the problem described in CVE-2023-44487: the long-standing measures we have in place to limit excessive load from clients are effective in this scenario. The attack described will cause extra CPU usage on your Apache HTTP Server process, but not impact any backends.
As an extra mitigation, once you have upgraded the libnghttp2 dependency of mod_http2 to at least version 1.57.0 that will completely remove the impact from Rapid Reset exploits.
https://github.com/apache/httpd-site/pull/10/files/0ed0b409383b2ab17c8c04a59b6365c3a27a4920
If you have real-time traffic monitoring you could monitor for unusual activity of rst_stream packets. It looks like that is one of the mitigations Cloudflare performed https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ . Likewise, quoted from https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ , "To mitigate against the non-canceling variant of this attack, we recommend that HTTP/2 servers should close connections that exceed the concurrent stream limit. This can be either immediately or after some small number of repeat offenses." Tuning H2MaxSessionStreams could help as far as Apache goes to limit the number of requests and memory usage within a single connection if the limit isn't already set. |
|
Back to top |
|
|
|
|
|
|