This is a vulnerability in the HTTP/2 protocol that is being targeted by DDoS attacks. I don't see what this has to do with a rate-limiting feature. The only thing related to rate limiting seems to me to be the migitation strategy.

The real question is at what layer this needs to be addressed. Do we need to wait for a fix in x/net/http2, or is this something that caddy needs to implement itself?

Response of nginx: https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/

Apache's migitation strategy: https://chaos.social/@icing/111210915918780532

HTTP/2 Rapid Reset : CVE-2023-44487 #5877

Description

extremeshokopenedon Oct 10, 2023

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

extremeshok
openedon Oct 10, 2023