On October 10th 2023, information about an HTTP/2 vulnerability (CVE-2023-44487) that could cause a Denial of Service (DDOS) attack on sites was released. It now goes by the name “Rapid Reset HTTP/2”.
If you are concerned about being a victim of this type of attack, there are things you can do to help mitigate it.
First, you can place your servers and sites behind a proxy such as CloudFlare. The services have already rolled out mitigations against these kinds of attacks and will drop the traffic before it even hits your servers.
AWS, Google Cloud and Microsoft Azure already have mitigations in place to address the threat so if your servers are running there you are also benefiting from the protections they have put in place to address the issue. It is possible other Cloud Server Providers have also rolled out protections as well.
Second, if you are running NGINX, you can apply their recommended changes to your servers – you can view those recommendations on the related NGINX blog article.
In particular, they are recommending the following:
They are also recommending that you look at the following two directives:
The bottom line is that, for WPCD, you shouldn’t have to make any changes to your NGINX configuration if you’re using our default stack and values.
The OpenLiteSpeed folks are stating that they are NOT affected by this vulnerability because of the way they’ve developed their implementation of HTTP/2. So, again, for WPCD, you should not have to make any changes if you’re using our default configuration.
You can read more about OpenLiteSpeed’s analysis of the issue on their site.
if you are running other application stacks besides WPCD, you should check out this github repository where recommendations are being updated for multiple stacks that are affected.