logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: are we secure using http/2?
Author
mrdj1024



Joined: 03 Apr 2023
Posts: 37
Location: Bridgeton,NJ,USA

PostPosted: Mon 20 May '24 13:48    Post subject: are we secure using http/2? Reply with quote

i came across this on my youtube list and it was posted 3 days ago,does this affect us using the apache builds?
https://www.youtube.com/watch?v=1ez0xzwl6Ds
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7316
Location: Germany, Next to Hamburg

PostPosted: Tue 21 May '24 9:47    Post subject: Reply with quote

Apache HTTP Server is not impacted by the problem described in CVE-2023-44487: the long-standing measures we have in place to limit excessive load from clients are effective in this scenario. The attack described will cause extra CPU usage on your Apache HTTP Server process, but not impact any backends.

As an extra mitigation, once you have upgraded the libnghttp2 dependency of mod_http2 to at least version 1.57.0 that will completely remove the impact from Rapid Reset exploits.

https://github.com/apache/httpd-site/pull/10/files/0ed0b409383b2ab17c8c04a59b6365c3a27a4920

If you have real-time traffic monitoring you could monitor for unusual activity of rst_stream packets. It looks like that is one of the mitigations Cloudflare performed https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ . Likewise, quoted from https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ , "To mitigate against the non-canceling variant of this attack, we recommend that HTTP/2 servers should close connections that exceed the concurrent stream limit. This can be either immediately or after some small number of repeat offenses." Tuning H2MaxSessionStreams could help as far as Apache goes to limit the number of requests and memory usage within a single connection if the limit isn't already set.
Back to top


Reply to topic   Topic: are we secure using http/2? View previous topic :: View next topic
Post new topic   Forum Index -> Apache