That, err, took a while. I mean I'm excited and I can't imagine the complexities of adding it to something as massive as Heroku, but Salesforce have a lot of money to chuck at stuff if they wanted and stuff like HTTP/2 shouldn't be an announcement in 2024!
This new HTTP/2 DoS vulnerability (CONTINUATION Flood) was just disclosed after several weeks of well coordinated disclosure across all the major HTTP implementations yielding multiple CVEs:
#MicrosoftGraph has recently deployed support for #http2 . 🚀🚀🚀
In this blog post I share a retrospective on how we made this happen for such a large #API
If you’d love to work together but don’t have the budget I can offer some discounts, just ask. I think it’s fair to say you’re not just paying for a keyboard monkey to knock out an article, you’re getting expertice, the name; and it’s going out on all my channels and newsletters (one of which is 2100 hardcore API nerds). 🙌🏻
Use discount code "HAPPY2024" to knock 15% off the price of paid writing or API consulting/workshops. Book now and let's get this year off to a productive start!
"The state of the art is no longer in finding more sophisticated ways to build JavaScript or CSS. It's not to build at all. To lean on HTTP/2 and the now universal support for import maps to avoid bundling."
#fefe zu #http2 https://blog.fefe.de/?ts=9bdb4a0e
Außerdem ist HTTP/2 eine Google-Erfindung. Google versucht hier also einen Heldenmythos zu etablieren, in dem sie uns vor dem Monster retten, das sie selbst geschaffen haben. Ohne den Teil zu erwähnen, dass sie das Monster geschaffen haben. Zum Kotzen, diese Tech Bros immer. #http
⚠️If you are using HTTP/2 beware of the novel #zeroday#vulnerability dubbed the “HTTP/2 Rapid Reset” attack disclosed today.
This attack exploits a weakness in the #HTTP2 protocol to generate enormous Distributed Denial of Service (#DDoS) attacks:
@adulau This is from Akamai.
I'm not going to alt-text the image since it's only text and it's twice the size of the alt-text limit.. I will add the text in this message below. So the alt-text just the bit after the hashtags.
I don't have a link to the advisory as it was sent through their portal as this text. #CVE202344487#HTTP2#HTTPSRapidResetAttack#RapidResetAttack #Akamai #InfoSec
--
Advisory Title: Customers using Akamai Security Products are protected from CVE-2023-44487: HTTP2 Rapid Reset attacks.
This attack, while novel, is at the protocol level and would be mitigated by Akamai on behalf of its customers in the same manner as any other Layer 7 DDoS attack using security product capabilities like Rate Controls, Web Application Firewall (WSA) , Bot Man Premier (BMP) or Client Reputation. No additional specific guidance is presently required to mitigate this threat. However, with the emergence of new threats, we encourage customers to work with their Akamai account team and update their security configurations, including rate controls, to ensure they are properly mitigating Layer 7 DDoS attacks.
Even customers without specific security solutions will benefit from built-in protections on the Akamai platform developed to mitigate this threat.
This attack exploits HTTP2 stream multiplexing, attackers immediately reset a stream after initiating a request, resulting in work on the edge server beyond the intended 100 stream limit. This could trigger tens of thousands of simultaneous requests from one connection. Most major HTTP2 stacks behave similarly, and patches or mitigations should be available on 10th October as well.
Akamai has actively participated in the global response to this vulnerability since August, collaborating with other industry stakeholders until its public announcement on October 10th. Over the course of September, we refined our edge delivery software to better detect and manage such attacks, including limiting streams available to abusive HTTP2 clients.
During the industry-wide confidentiality period, Akamai was bound not to disclose details about this vulnerability. However, we remained in close coordination with our partners to ensure customer protection and actively monitored our platform for this abuse.
Additional Customer Mitigation Guidance:
For SOCC and security customer mitigations, this should be treated the same as any other L7 DDoS attack.
Customers with security products in alert mode may observe an increase in attacks when this attack is made public. Customers may want to proactively put their products in deny mode and review or adjust rate controls accordingly.
Customers without rate controls or other security products in deny mode will have clients limited to 100 simultaneous requests per client connection, as per the HTTP2 specification. If an existing Akamai CDN customer needs protection against L7 DDoS attacks, they are encouraged to add AAP or AAP+ASM products to avail the L7 DDoS protections.
Prolexic customers should adopt vendor patches or vendor guidance which will be available on 10th October. If vendor mitigations are unavailable or a customer is under attack, the suggested mitigation is to disable HTTP2 until a patch can be applied.
Customers with origin infrastructure or other services exposed on the internet, not behind Akamai SiteShield or OIPACL should update their vendors software, apply vendor mitigations, or disable HTTP2 until a fix can be applied.