Why you don't need to worry about the novel HTTP/2 ‘Rapid Reset’ DDoS attack (CVE-2023-44487)
Security Published on •2 mins Last updated
We've had a few concerned customers asking about the Google disclosure of the recent huge DDoS attack (398 million rps), and the potential underlying vulnerability in some HTTP/2 servers, CVE-2023-44487.
Please be rest assured, you don't need to panic.
Our load balancer is based on HAProxy, who have confirmed that the open source project is not vulnerable to this attack.
Also please bear in mind the obvious point that the attack is only possible if you are using HTTP/2, which still has a pretty low uptake.
N.B. if you need HTTP/2 and want mitigation against this vulnerability, you will need to be running at least v8.7.0 of our appliance.
Some of our competitors aren't quite as confident.
- F5 are vulnerable to uncontrolled resource consumption from this attack, and it's not very clear what they're suggesting you do about it. I'm sure they will patch it soon, and to be honest it's not as scary as the two big breaches last year.
- NGINX is safe with default settings, but have a patch and some recommendations for you to check and implement.
- A10 hasn't said anything, which is concerning? Ah no they updated on the 18th - They have a patch and recommended mitigation strategy, changing default frame limit from 10,000 > 50.
- Kemp hasn't said anything, which is concerning? Wait, they updated on the 16th, looks like they are ok?
- Radware hasn't said anything, which is concerning? Ah no - Now they say they are thinking about it... and its the 24th!
But it's never wise to gloat, the next security breach could affect anyone.
Here at Loadbalancer we are a strong believer in transparency and full disclosure. We believe deeply in the open source model, and work closely with the open source community to ensure you get the security that you deserve.
We also understand that security vulnerabilities and patches are inevitable. However we feel that vendors could do much more to help you...
...by designing load balancers with less complexity
...by encouraging simpler deployment architecture
...by thinking about your applications, not just their ADC
...by taking the time to understand you and your business
This has led us to develop load balancers that are clever, not complex. In other words, our products offer the functionality required, but are simpler to implement, easier to use and maintain, and designed to solve the availability, and performance problems of the majority of applications deployed on this planet.
Because, as most people will tell you, unnecessary complexity can leave you vulnerable.
We are not your average load balancing vendor.
We are a commercial business, but heavily reliant on open source software like HAProxy, and make an active contribution to this amazing community.
We believe in the power of open source and, unlike other vendors, are very open about what we use, and why. And when we implement new functionality, we give it back to the community, for example:
- Announcing CVE-2021-35368: OWASP ModSecurity Core Rule Set Bypass
- Loadbalancer.org releases Open Source SNMP MIB and Agent for HAProxy
- Integration of an external health check into the main branch of HAProxy
- Releasing an open source SNMP MIB and agent for HAProxy
- Integrating a 'server side' feedback agent into the main branch of HAProxy
Simply put, more eyes means that open source tools are stronger, better, faster and more secure. Which is fundamentally why we believe open source is better than proprietary.