OT: Rapid Reset attacks on HTTP/2
Jeffrey Walton
noloader at gmail.com
Tue Oct 10 19:46:25 UTC 2023
On Tue, Oct 10, 2023 at 3:04 PM Maxim Dounin <mdounin at mdounin.ru> wrote:
>
> On Tue, Oct 10, 2023 at 02:50:37PM -0400, Jeffrey Walton wrote:
>
> > This just made my radar:
> > <https://thehackernews.com/2023/10/http2-rapid-reset-zero-day.html>.
> >
> > From the article:
> >
> > F5, in an independent advisory of its own, said the attack impacts the
> > NGINX HTTP/2 module and has urged its customers to update their NGINX
> > configuration to limit the number of concurrent streams to a default of
> > 128 and persist HTTP connections for up to 1000 requests.
>
> The "the attack impacts the NGINX HTTP/2 module" claim is
> incorrect, see here:
>
> https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
>
> Hope this helps.
Thanks Maxim.
The Nginx team may want to publish a blog post or knowledge article. I
got 0 hits when searching the site
<https://www.google.com/search?q="rapid+reset"+site:nginx.org>. It
will help admins and executives find the team's information.
Jeff
More information about the nginx
mailing list