Cybersecurity and Infrastructure Security Agency (CISA) advises system upgrades amid persistent DDoS attacks on Rapid Reset's zero day vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) advises system upgrades amid persistent DDoS attacks on Rapid Reset's zero day vulnerability

In a series of coordinated disclosures, several tech giants, including AWS, Google, and Cloudflare, have warned that malicious actors have been exploiting a high-severity vulnerability in HTTP/2 servers to launch record-breaking DDoS attacks since late August. The vulnerability, tracked as CVE-2023-44487, has been causing significant concern among organizations using Nginx and related products.

The Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to apply patches and consider configuration changes due to this vulnerability. Nginx, an open-source web server, load balancer, and reverse proxy, normally limits the number of concurrent streams to 128 up to a maximum of 1,000. However, if Nginx is configured for a higher number of requests, an attack could deplete system resources, leading to a denial of service.

To protect against the HTTP/2 Rapid Reset vulnerability, key protective measures include:

1. Apply official patches or updates: Vendors, including Nginx and other HTTP/2 server implementations, have issued patches or workarounds to address Rapid Reset and its related follow-up vulnerability MadeYouReset (CVE-2025-8671). Administrators should check with Nginx and relevant third-party software vendors and promptly update to versions that fix this issue.
2. Limit or filter RST_STREAM frames: The Rapid Reset vulnerability exploits clients rapidly sending RST_STREAM (stream reset) frames to cancel requests and cause resource exhaustion. Mitigations include limiting the number or rate of RST_STREAM frames accepted from clients to prevent unbounded concurrency.
3. Use HTTP/2-specific DoS protections: Since these attacks exploit HTTP/2 multiplexing and flow-control features, deploying rate-limiting of HTTP/2 streams, prioritizing legitimate traffic, and monitoring abnormal HTTP/2 stream reset usage is beneficial to detect and block abuse.
4. Deploy upstream DDoS protection and filtering: Using Web Application Firewalls (WAFs), dedicated DDoS mitigation appliances, or cloud DDoS protection services that understand HTTP/2 protocol behavior can detect and block suspicious patterns linked to Rapid Reset attacks.

F5, a company that provides application delivery networking solutions, is taking additional steps to ensure that customers who need to configure Nginx beyond recommended specifications are able to do so. They are releasing a patch on Wednesday to increase stability for Nginx configurations beyond recommended specifications. Microsoft has also urged customers to apply security patches due to the vulnerability, but there is no evidence of customer data being compromised.

The record-breaking DDoS attacks reached as high as 398 million requests per second, according to Google's Tuesday blog post. F5 has advised users of its Nginx open-source project to apply immediate upgrades to configuration files due to the vulnerability. Operators should also remain alert for updates regarding the related MadeYouReset vulnerability, as it extends exploitation methods beyond original mitigations.

In a blog post released Tuesday, F5 details this advice, emphasizing the importance of prompt action to protect against these powerful attacks. HTTP/2, developed in 2015, is a protocol that enables more efficient data streams but is vulnerable to such attacks due to its speed. Protecting Nginx and similar servers against CVE-2023-44487 involves ensuring patches are applied, specifically implementing or configuring mitigation for excessive HTTP/2 stream reset frames, and enhancing monitoring and rate-limiting of HTTP/2 control frames to prevent resource exhaustion and denial of service caused by these attacks.

1. In light of the CVE-2023-44487 vulnerability impacting HTTP/2 servers, the Cybersecurity and Infrastructure Security Agency (CISA) advises organizations to apply patches and consider configuration changes to protect against potential DDoS attacks.
2. As a precautionary measure, F5, a technology company, released a patch on Wednesday to enhance Nginx stability for configurations beyond recommended specifications, addressing the concerns of customers who need to configure Nginx more extensively.
3. The HTTP/2 Rapid Reset vulnerability not only heavily affects businesses utilizing Nginx and related products, but also presents a risk to financial institutions, emphasizing the need for cybersecurity vigilance in financial investing.
4. To better safeguard against the more extensive exploitation methods of the MadeYouReset vulnerability, operators should monitor updates and remain alert for any subsequent threats, exercising continuous data-and-cloud-computing security measures.

Read also: