Researchers and vendors have disclosed a denial-of-service (DoS) vulnerability in HTTP/2 protocol. The vulnerability (CVE-2023-44487), known as Rapid Reset, has been exploited in the wild in August 2023 through October 2023.
CISA recommends organizations that provide HTTP/2 services apply patches when available and consider configuration changes and other mitigations discussed in the references below. For more information on Rapid Reset, see:
[ul]
[li]Cloudflare: HTTP/2 Rapid Reset: deconstructing the record-breaking attack[/li][li]Google: How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack[/li][li]AWS: CVE-2023-44487 - HTTP/2 Rapid Reset Attack[/li][li]NGINX: HTTP/2 Rapid Reset Attack Impacting NGINX Products[/li][/ul]
Organizations can take proactive steps to reduce the effects of DoS attacks. See the following guidance for more information:
[ul]
[li]CISA: Understanding and Responding to Distributed Denial-of-Service Attacks[/li][li]CISA: Additional DDoS Guidance for Federal Agencies[/li][/ul]