OT: Rapid Reset attacks on HTTP/2
Maxim Dounin
mdounin at mdounin.ru
Tue Oct 10 19:03:42 UTC 2023
Hello!
On Tue, Oct 10, 2023 at 02:50:37PM -0400, Jeffrey Walton wrote:
> Hi Everyone,
>
> This just made my radar:
> <https://thehackernews.com/2023/10/http2-rapid-reset-zero-day.html>.
>
> From the article:
>
> F5, in an independent advisory of its own, said the attack impacts the
> NGINX HTTP/2 module and has urged its customers to update their NGINX
> configuration to limit the number of concurrent streams to a default of
> 128 and persist HTTP connections for up to 1000 requests.
The "the attack impacts the NGINX HTTP/2 module" claim is
incorrect, see here:
https://mailman.nginx.org/pipermail/nginx-devel/2023-October/S36Q5HBXR7CAIMPLLPRSSSYR4PCMWILK.html
Hope this helps.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list