HTTP/2 Rapid Reset
DoYouKnowWhoElse opened this issue · comments
Muscle Man commented
Has any patches to HTTP/2 CVE been released?
https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
Muscle Man commented
Any update?
Muscle Man commented
This is urgent to be patched to be honest.
synodriver commented
I suggest look into this function to see if sans-io based protocol parser actually handles this issue.
Phil Jones commented
I think the correct fix is to apply a max keep alive requests. I have a patch being tested locally.
Note though I don't think Hypercorn itself is that vulnerable as resetting streams quickly isn't likely to be that costly.
Phil Jones commented
Mitigation in 926c430