That, err, took a while. I mean I'm excited and I can't imagine the complexities of adding it to something as massive as Heroku, but Salesforce have a lot of money to chuck at stuff if they wanted and stuff like HTTP/2 shouldn't be an announcement in 2024!
This new HTTP/2 DoS vulnerability (CONTINUATION Flood) was just disclosed after several weeks of well coordinated disclosure across all the major HTTP implementations yielding multiple CVEs:
#MicrosoftGraph has recently deployed support for #http2 . 🚀🚀🚀
In this blog post I share a retrospective on how we made this happen for such a large #API
Use discount code "HAPPY2024" to knock 15% off the price of paid writing or API consulting/workshops. Book now and let's get this year off to a productive start!
@icing@bert_hubert that CVE is completely irresponsible. A CVE is supposed to list known vulnerabilities in released software, not potential vulnerabilities in all implementations of a single protocol. Now we have security heroes from all over the world asking each and every #HTTP project whether they have a fix for a vulnerability that they never had in the first place #infosec#http2
@icing while i agree that #http implementations should interpret standards intelligently and possibly diverge where justified, i do not understand why it was "lame" to point out that the spdy to #http2 "gold plating" process brushed over a lot of feedback and controvercies.
🧵
@icing after all, this is an #http2 protocol weakness which implementations need to compensate for, and not just about bad implementations. thus i would think that this problem (and, i expect more similar ones to come) could have been avoided right from the start.
i also agree with the "back pressure" concept, but even when done right, h2 still requires significantly more resources than h1.
"The state of the art is no longer in finding more sophisticated ways to build JavaScript or CSS. It's not to build at all. To lean on HTTP/2 and the now universal support for import maps to avoid bundling."
#fefe zu #http2 https://blog.fefe.de/?ts=9bdb4a0e
Außerdem ist HTTP/2 eine Google-Erfindung. Google versucht hier also einen Heldenmythos zu etablieren, in dem sie uns vor dem Monster retten, das sie selbst geschaffen haben. Ohne den Teil zu erwähnen, dass sie das Monster geschaffen haben. Zum Kotzen, diese Tech Bros immer. #http
⚠️If you are using HTTP/2 beware of the novel #zeroday#vulnerability dubbed the “HTTP/2 Rapid Reset” attack disclosed today.
This attack exploits a weakness in the #HTTP2 protocol to generate enormous Distributed Denial of Service (#DDoS) attacks:
@adulau This is from Akamai.
I'm not going to alt-text the image since it's only text and it's twice the size of the alt-text limit.. I will add the text in this message below. So the alt-text just the bit after the hashtags.
I don't have a link to the advisory as it was sent through their portal as this text. #CVE202344487#HTTP2#HTTPSRapidResetAttack#RapidResetAttack #Akamai #InfoSec
--
Advisory Title: Customers using Akamai Security Products are protected from CVE-2023-44487: HTTP2 Rapid Reset attacks.
This attack, while novel, is at the protocol level and would be mitigated by Akamai on behalf of its customers in the same manner as any other Layer 7 DDoS attack using security product capabilities like Rate Controls, Web Application Firewall (WSA) , Bot Man Premier (BMP) or Client Reputation. No additional specific guidance is presently required to mitigate this threat. However, with the emergence of new threats, we encourage customers to work with their Akamai account team and update their security configurations, including rate controls, to ensure they are properly mitigating Layer 7 DDoS attacks.
Even customers without specific security solutions will benefit from built-in protections on the Akamai platform developed to mitigate this threat.
This attack exploits HTTP2 stream multiplexing, attackers immediately reset a stream after initiating a request, resulting in work on the edge server beyond the intended 100 stream limit. This could trigger tens of thousands of simultaneous requests from one connection. Most major HTTP2 stacks behave similarly, and patches or mitigations should be available on 10th October as well.
Akamai has actively participated in the global response to this vulnerability since August, collaborating with other industry stakeholders until its public announcement on October 10th. Over the course of September, we refined our edge delivery software to better detect and manage such attacks, including limiting streams available to abusive HTTP2 clients.
During the industry-wide confidentiality period, Akamai was bound not to disclose details about this vulnerability. However, we remained in close coordination with our partners to ensure customer protection and actively monitored our platform for this abuse.
Additional Customer Mitigation Guidance:
For SOCC and security customer mitigations, this should be treated the same as any other L7 DDoS attack.
Customers with security products in alert mode may observe an increase in attacks when this attack is made public. Customers may want to proactively put their products in deny mode and review or adjust rate controls accordingly.
Customers without rate controls or other security products in deny mode will have clients limited to 100 simultaneous requests per client connection, as per the HTTP2 specification. If an existing Akamai CDN customer needs protection against L7 DDoS attacks, they are encouraged to add AAP or AAP+ASM products to avail the L7 DDoS protections.
Prolexic customers should adopt vendor patches or vendor guidance which will be available on 10th October. If vendor mitigations are unavailable or a customer is under attack, the suggested mitigation is to disable HTTP2 until a patch can be applied.
Customers with origin infrastructure or other services exposed on the internet, not behind Akamai SiteShield or OIPACL should update their vendors software, apply vendor mitigations, or disable HTTP2 until a fix can be applied.
There's an important vulnerability being disclosed today that allows attackers to massively increase the size of DDoS attacks.
The flaw is being tracked as CVE-2023-44487, a.k.a. "HTTP/2 Rapid Reset Attack." According to Damian Menscher at Google, the attack "works by sending a request and then immediately cancelling it (a feature of HTTP/2). This lets attackers skip waiting for responses, resulting in a more efficient attack."