HTTP/2 Rapid Reset DDoS Mitigaton

[mbabitski-t]

Motivation

Provide protection against HTTP/2 Rapid Reset if TempestaFW is susceptible to this type of attack.

Links

Original blog post: https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack

CVE: https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Possible remediation: https://gist.github.com/adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088#potential-remediation

[krizhanovsky]

I think simple request rate limit should catch the massive amount of requests, even reset immediately. Probably we should just start with testing the scenario with our go/python tests suites. We're not sure that we Frang accounts not full HTTP requests - need to test.

Actually we should have Frang tests for HTTP/2, but it seems we lost the. Need to reimplement frang tests for HTTP/2

[RomanBelozerov]

We have request_rate and request_burst directives from frang against this DDoS-attack. Closed as completed.