HTTP/2 rapid reset attack impacting Nginx products (opens in new tab)

(nginx.com)

232 points120bits2y ago62 comments

62 comments

Important to note that unless your Nginx instance has a special (read: very high) keepalive limit configured, Nginx has a fairly reasonable defense against HTTP/2 rapid reset attack by default, as the article says. Still, interesting to see the response to these attacks.

dang2y ago

Related. Others?

HAProxy is not affected by the HTTP/2 Rapid Reset Attack - https://news.ycombinator.com/item?id=37837043 - Oct 2023 (31 comments)

The largest DDoS attack to date, peaking above 398M rps - https://news.ycombinator.com/item?id=37831062 - Oct 2023 (461 comments)

HTTP/2 Rapid Reset: deconstructing the record-breaking attack - https://news.ycombinator.com/item?id=37831004 - Oct 2023 (22 comments)

HTTP/2 zero-day vulnerability results in record-breaking DDoS attacks - https://news.ycombinator.com/item?id=37830998 - Oct 2023 (69 comments)

The novel HTTP/2 'Rapid Reset' DDoS attack - https://news.ycombinator.com/item?id=37830987 - Oct 2023 (103 comments)

jchw2y ago

I don't know if a post to HN has been made (don't think so), but Envoy released 1.27.1 in response to Rapid Reset as well.

https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history...

msmith2y ago

Also Go's HTTP/2 packages - https://news.ycombinator.com/item?id=37863419

tialaramex2y ago

It's been interesting to see who is affected and who isn't and their rationale.

nomaxx1172y ago

I posted another one the other day which didn't get any traction but probably goes in the list: https://news.ycombinator.com/item?id=37835295

rewmie2y ago

Thanks for the helpful summary. It does wonder to provide context to such an important topic.

ComputerGuru2y ago

I’m stuck trying to figure out if this is technically desired behavior or not. If you were retroactively designing http/2 with this knowledge, would you have done anything different?

kelthan2y ago

Yes, because it's exploitable.

Systems that require very high cognitive load on their human operators (whether machines, programming languages, etc.) are alway destined to fail. Human beings are not good at doing boring, repetitious work that requires them to stay focused: lapses will occur. And hackers are going to find and exploit those gaps. So the best way to avoid those problems is to build solutions or specifications in which those gaps are not even possible.

Modern software systems are some of the most complex systems that humans have ever invented--and they just keep getting more complex over time as we layer new things on top of them. Think of a really high Jenga tower with lots of holes in the base.

That means we need to strive to keep things simple. That may mean making decisions that prevent common or severely impacting failure cases from being possible, even if it is a little more difficult to do, or eliminates an esoteric use-case. This is even more true when writing specifications that others will implement and/or be expected to conform to.

j16sdiz2y ago

I guess the parent post want to know if there are any _specific_ and _effective_ change for this kind of attacks.

In this case, simplifying the protocol won't help -- the vulnerability is:

  1. Backend servers can't cancel immediately (this is no protocol problem)

  2. The client can make concurrent request in a connection (This is the goal of Http/2)

  3. The concurrency is pre determined, there is no way for the server to throttle without user-visible error.
 
  4. The client can cancel any request mid-flight (removing this is equally bad, security-wise)

Unless you are removing the concurrency, making the protocol simpler won't fix it.

The protocol designer need adversary mindset, not a simpler mind

2 more replies

nimbius2y ago

FYI this is for the commercial nginx product, hastily purchased by F5 a few years back when software load balancers were annihilating their hardware offering.

Curious to see f5 still playing games with their own cve disclosure on the bigip product though...assigning it a mitre cw400 is just lying.

https://my.f5.com/manage/s/article/K000137106

gshulegaard2y ago

Both http2_max_concurrent_streams and keepalive_requests (the configuration parameters discussed in this article) are configuration parameters available in open source nginx:

http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_...

http://nginx.org/en/docs/http/ngx_http_core_module.html#keep...

So are limit_conn and limit_req:

https://nginx.org/en/docs/http/ngx_http_limit_conn_module.ht...

https://nginx.org/en/docs/http/ngx_http_limit_req_module.htm...

So it pertains to both NGINX and NGINX+.

eastdakota2y ago

From some first-hand experience over the last few months… these suggestions and patch will help prevent a single client from overwhelming an NGINX server, but it will do little to stop even a modest botnet from generating enough requests to be a problem. Keeping some state on IPs and downgrading those that exceed limits to HTTP/1.1 I believe is the only effective defense. Tuning those thresholds to get them right is… challenging.

22c2y ago

If the only viable fix is to downgrade clients to an earlier protocol, do you take that to mean that there is a fundamental weakness in the protocol itself?

codetrotter2y ago

Hehe, when I heard about the attack a couple of days ago I was interested to know if Nginx was affected and did a search on Google for the CVE of that attack followed by the name of Nginx.

I didn’t find anything relevant so I assumed that Nginx was not affected.

Turns out that was not a good assumption :p

herpderperator2y ago

If you read the article, you'll see that the default configuration is not affected.

ziddoap2y ago

CVEs aren't restricted to only consider default configs.

1 more reply

codetrotter2y ago

I know. But not everyone uses the default configuration.

1 more reply

ahoka2y ago

I immediately thought I’m happy not having to operate anything with nginx in front of it.

k_roy2y ago

So you are operating every other product that was impacted by this?

This headline is pretty misleading as the article outlines you would need a fairly non-standard config to be exploited like this.

Versus many other products that the stock configs are vulnerable.

otherme1232y ago

I did the same search a couple days ago with Duck, and this blog entry was the first or among the first results.

amelius2y ago

> this vulnerability can be exploited to execute a denial-of-service attack

Title should contain this info.

getcrunk2y ago

> layer 4 monitoring and alerting tools

What do you guys use? Anything foss and not an applicance?

1vuio0pswjnm72y ago

If someone asked me how to "speed up the web", I would not suggest "use HTTP/2". I would remove ads and other garbage. As a decades long non-popular browser and TCP client user, I can testify this works very effectively. I prefer to have full control over the resources that I request, whether text or binary, so no auto-loading resources, no Javascript-requested resources and no HTTP/2 "server push". The clients I use do not auto-load resources, run Javascript nor carry out "server push". Works great for me. Web is not slow.

According to HTTP/2 proponents, the protocol originated at an online advertising services company and was developed by companies that profit from sale and delivery of online advertising, HTTP/2 was designed to "speed up the web".

I respect that opinions on HTTP/2 may differ. If someone loves HTTP/2, then I respect that opinion. In return I ask that others respect opinions that may differ from their own, including mine. NB. This comment speaks only for the web user submitting it. It does not speak for other web users. IMHO, no HN commenter can speak for other web users either. Thank you.

wvenable2y ago

I would say that a text-only experience is valid I don't think it's how the majority of people want to use the web. Users want a rich multimedia experience.

If HTTP/2 speeds up a rich multimedia web experience then it may legitimately be one way to "speed up the web" for someone who expects that level of experience.

I don't think it's fair to criticize a protocol for who designed it. The specification is out there for anyone to interpret and if there is specific complaint in it's design then make that.

jillesvangurp2y ago

HTTP/3 is now the version to upgrade to. We're in Google cloud so we've been running that for some time now without issues. Works great actually.

I don't get all this anti HTTP 2 & 3 sentiment on hacker news. What's wrong with people here? HTTP 1.1 is a quarter century old at this point. This sounds just like a bunch of grumpy old men arguing against progress. Time to move on. Yes HTTP/1.1 works. But it's also a bit limited and slow in various ways that both new HTTP variants address. One little bug in nginx is not going to change anything. Bugs happen all the time. They get fixed and people move on. I'm not hearing a lot of rational arguments here.

gear54rus2y ago

Well you ain't getting no-JS webpages because it's too useful so maybe HTTP/2 in the end? Adblock helps with ad I hear.

veeti2y ago

HTTP2 Server Push has been deprecated already https://developer.chrome.com/blog/removing-push/

otabdeveloper42y ago

I work in adtech and I haven't heard anybody in the industry push for HTTP/2.

It's still HTTP/1.1 everywhere here.

blackbeans2y ago

What about the old and proven Apache? Is it affected?

phendrenad22y ago

How does HTTP/1.1 stand up to the current attack?

eastdakota2y ago

Not impacted.

andrewstuart2y ago

Anyone know if it affects Caddy?

MallocVoidstar2y ago

Patched in 2.7.5: https://github.com/caddyserver/caddy/releases/tag/v2.7.5

I think it might also require a patched version of Go.

jprd2y ago

You could 'caddy upgrade' pretty quickly to get the patch (servers had updated go), though the release number bump didn't happen immediately.

Running the same now, or pulling a new binary, using xcaddy, etc. will get you 2.7.5 which also includes some other small fixes not related to rapid reset.

kelthan2y ago

There are new versions of Go which have this CVE patched already published and available for download.

bullen2y ago

Just use HTTP/1.1, it's the final protocol.

Nothing Google or Microsoft does will dethrone it.

Forget the browser; use a C or Java client and HTTP.

If they block port 80, just use another port.

They cannot win.

knorker2y ago

Who is "they"?

Is there some kind of evil back room conspiracy to make the web faster, using open standards?

bullen2y ago

They are those that disable HTTP.

Like it was not enough to make HTTPS default, they need to eradicate the opposition.

The list is too long to enumerate but they all have one thing in common; they profit from root certificates.

The web is not faster, it's bloated. It's only open if you can understand it and implement it.

HTTP/1.1 is the fastest, most open, web you'll ever have; because it is small.

1 more reply

ChrisArchitect2y ago

Why the submission OP?

Lots of discussion and submissions related to this over the last few days, not to mention this submitted 2 days ago

jacquesm2y ago

Because Nginx is a very widespread high performance web server that initially seemed not to be impacted but now it turns out that it is.

k_roy2y ago

Except it's only impacted in a pretty non-standard config.

Not that it's not important to disseminate the knowledge, but the chosen title here is deliberatley sensational

1 more reply

tmpX7dMeXU2y ago

There is no new revelation here.

j / k navigate · click thread line to collapse

62 comments

sickofparadox2y ago

dang2y ago

Related. Others?

HAProxy is not affected by the HTTP/2 Rapid Reset Attack - https://news.ycombinator.com/item?id=37837043 - Oct 2023 (31 comments)

The largest DDoS attack to date, peaking above 398M rps - https://news.ycombinator.com/item?id=37831062 - Oct 2023 (461 comments)

HTTP/2 Rapid Reset: deconstructing the record-breaking attack - https://news.ycombinator.com/item?id=37831004 - Oct 2023 (22 comments)

HTTP/2 zero-day vulnerability results in record-breaking DDoS attacks - https://news.ycombinator.com/item?id=37830998 - Oct 2023 (69 comments)

The novel HTTP/2 'Rapid Reset' DDoS attack - https://news.ycombinator.com/item?id=37830987 - Oct 2023 (103 comments)

jchw2y ago

I don't know if a post to HN has been made (don't think so), but Envoy released 1.27.1 in response to Rapid Reset as well.

https://www.envoyproxy.io/docs/envoy/v1.27.1/version_history...

msmith2y ago

Also Go's HTTP/2 packages - https://news.ycombinator.com/item?id=37863419

tialaramex2y ago

It's been interesting to see who is affected and who isn't and their rationale.

nomaxx1172y ago

I posted another one the other day which didn't get any traction but probably goes in the list: https://news.ycombinator.com/item?id=37835295

rewmie2y ago

Thanks for the helpful summary. It does wonder to provide context to such an important topic.

ComputerGuru2y ago

I’m stuck trying to figure out if this is technically desired behavior or not. If you were retroactively designing http/2 with this knowledge, would you have done anything different?

kelthan2y ago

Yes, because it's exploitable.

j16sdiz2y ago

I guess the parent post want to know if there are any _specific_ and _effective_ change for this kind of attacks.

In this case, simplifying the protocol won't help -- the vulnerability is:

  1. Backend servers can't cancel immediately (this is no protocol problem)

  2. The client can make concurrent request in a connection (This is the goal of Http/2)

  3. The concurrency is pre determined, there is no way for the server to throttle without user-visible error.
 
  4. The client can cancel any request mid-flight (removing this is equally bad, security-wise)

Unless you are removing the concurrency, making the protocol simpler won't fix it.

The protocol designer need adversary mindset, not a simpler mind

2 more replies

nimbius2y ago

FYI this is for the commercial nginx product, hastily purchased by F5 a few years back when software load balancers were annihilating their hardware offering.

Curious to see f5 still playing games with their own cve disclosure on the bigip product though...assigning it a mitre cw400 is just lying.

https://my.f5.com/manage/s/article/K000137106

gshulegaard2y ago

Both http2_max_concurrent_streams and keepalive_requests (the configuration parameters discussed in this article) are configuration parameters available in open source nginx:

http://nginx.org/en/docs/http/ngx_http_v2_module.html#http2_...

http://nginx.org/en/docs/http/ngx_http_core_module.html#keep...

So are limit_conn and limit_req:

https://nginx.org/en/docs/http/ngx_http_limit_conn_module.ht...

https://nginx.org/en/docs/http/ngx_http_limit_req_module.htm...

So it pertains to both NGINX and NGINX+.

eastdakota2y ago

22c2y ago

If the only viable fix is to downgrade clients to an earlier protocol, do you take that to mean that there is a fundamental weakness in the protocol itself?

codetrotter2y ago

Hehe, when I heard about the attack a couple of days ago I was interested to know if Nginx was affected and did a search on Google for the CVE of that attack followed by the name of Nginx.

I didn’t find anything relevant so I assumed that Nginx was not affected.

Turns out that was not a good assumption :p

herpderperator2y ago

If you read the article, you'll see that the default configuration is not affected.

ziddoap2y ago

CVEs aren't restricted to only consider default configs.

1 more reply

codetrotter2y ago

I know. But not everyone uses the default configuration.

1 more reply

ahoka2y ago

I immediately thought I’m happy not having to operate anything with nginx in front of it.

k_roy2y ago

So you are operating every other product that was impacted by this?

This headline is pretty misleading as the article outlines you would need a fairly non-standard config to be exploited like this.

Versus many other products that the stock configs are vulnerable.

otherme1232y ago

I did the same search a couple days ago with Duck, and this blog entry was the first or among the first results.

amelius2y ago

> this vulnerability can be exploited to execute a denial-of-service attack

Title should contain this info.

getcrunk2y ago

> layer 4 monitoring and alerting tools

What do you guys use? Anything foss and not an applicance?

1vuio0pswjnm72y ago

wvenable2y ago

I would say that a text-only experience is valid I don't think it's how the majority of people want to use the web. Users want a rich multimedia experience.

If HTTP/2 speeds up a rich multimedia web experience then it may legitimately be one way to "speed up the web" for someone who expects that level of experience.

I don't think it's fair to criticize a protocol for who designed it. The specification is out there for anyone to interpret and if there is specific complaint in it's design then make that.

jillesvangurp2y ago

HTTP/3 is now the version to upgrade to. We're in Google cloud so we've been running that for some time now without issues. Works great actually.

gear54rus2y ago

Well you ain't getting no-JS webpages because it's too useful so maybe HTTP/2 in the end? Adblock helps with ad I hear.

veeti2y ago

HTTP2 Server Push has been deprecated already https://developer.chrome.com/blog/removing-push/

otabdeveloper42y ago

I work in adtech and I haven't heard anybody in the industry push for HTTP/2.

It's still HTTP/1.1 everywhere here.

blackbeans2y ago

What about the old and proven Apache? Is it affected?

phendrenad22y ago

How does HTTP/1.1 stand up to the current attack?

eastdakota2y ago

Not impacted.

andrewstuart2y ago

Anyone know if it affects Caddy?

MallocVoidstar2y ago

Patched in 2.7.5: https://github.com/caddyserver/caddy/releases/tag/v2.7.5

I think it might also require a patched version of Go.

jprd2y ago

You could 'caddy upgrade' pretty quickly to get the patch (servers had updated go), though the release number bump didn't happen immediately.

Running the same now, or pulling a new binary, using xcaddy, etc. will get you 2.7.5 which also includes some other small fixes not related to rapid reset.

kelthan2y ago

There are new versions of Go which have this CVE patched already published and available for download.

bullen2y ago

Just use HTTP/1.1, it's the final protocol.

Nothing Google or Microsoft does will dethrone it.

Forget the browser; use a C or Java client and HTTP.

If they block port 80, just use another port.

They cannot win.

knorker2y ago

Who is "they"?

Is there some kind of evil back room conspiracy to make the web faster, using open standards?

bullen2y ago

They are those that disable HTTP.

Like it was not enough to make HTTPS default, they need to eradicate the opposition.

The list is too long to enumerate but they all have one thing in common; they profit from root certificates.

The web is not faster, it's bloated. It's only open if you can understand it and implement it.

HTTP/1.1 is the fastest, most open, web you'll ever have; because it is small.

1 more reply

ChrisArchitect2y ago

Why the submission OP?

Lots of discussion and submissions related to this over the last few days, not to mention this submitted 2 days ago

jacquesm2y ago

Because Nginx is a very widespread high performance web server that initially seemed not to be impacted but now it turns out that it is.

k_roy2y ago

Except it's only impacted in a pretty non-standard config.

Not that it's not important to disseminate the knowledge, but the chosen title here is deliberatley sensational

1 more reply

tmpX7dMeXU2y ago

There is no new revelation here.

j / k navigate · click thread line to collapse