Topic: are we secure using http/2?

[mrdj1024]

i came across this on my youtube list and it was posted 3 days ago,does this affect us using the apache builds?
https://www.youtube.com/watch?v=1ez0xzwl6Ds

[James Blond]

Apache HTTP Server is not impacted by the problem described in CVE-2023-44487: the long-standing measures we have in place to limit excessive load from clients are effective in this scenario. The attack described will cause extra CPU usage on your Apache HTTP Server process, but not impact any backends.

As an extra mitigation, once you have upgraded the libnghttp2 dependency of mod_http2 to at least version 1.57.0 that will completely remove the impact from Rapid Reset exploits.

https://github.com/apache/httpd-site/pull/10/files/0ed0b409383b2ab17c8c04a59b6365c3a27a4920

If you have real-time traffic monitoring you could monitor for unusual activity of rst_stream packets. It looks like that is one of the mitigations Cloudflare performed https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/ . Likewise, quoted from https://www.theregister.com/2023/10/10/http2_rapid_reset_zeroday/ , "To mitigate against the non-canceling variant of this attack, we recommend that HTTP/2 servers should close connections that exceed the concurrent stream limit. This can be either immediately or after some small number of repeat offenses." Tuning H2MaxSessionStreams could help as far as Apache goes to limit the number of requests and memory usage within a single connection if the limit isn't already set.