Why you don't need to worry about the novel HTTP/2 ‘Rapid Reset’ DDoS attack (CVE-2023-44487)

Why you don't need to worry about the novel HTTP/2 ‘Rapid Reset’ DDoS attack (CVE-2023-44487)

Security Published on 2 mins Last updated

We've had a few concerned customers asking about the Google disclosure of the recent huge DDoS attack (398 million rps), and the potential underlying vulnerability in some HTTP/2 servers, CVE-2023-44487.

Please be rest assured, you don't need to panic.

Our load balancer is based on HAProxy, who have confirmed that the open source project is not vulnerable to this attack.

Also please bear in mind the obvious point that the attack is only possible if you are using HTTP/2, which still has a pretty low uptake.

N.B. if you need HTTP/2 and want mitigation against this vulnerability, you will need to be running at least v8.7.0 of our appliance.

Some of our competitors aren't quite as confident.

But it's never wise to gloat, the next security breach could affect anyone.

Here at Loadbalancer we are a strong believer in transparency and full disclosure. We believe deeply in the open source model, and work closely with the open source community to ensure you get the security that you deserve.

We also understand that security vulnerabilities and patches are inevitable. However we feel that vendors could do much more to help you...

...by designing load balancers with less complexity
...by encouraging simpler deployment architecture
...by thinking about your applications, not just their ADC
...by taking the time to understand you and your business

This has led us to develop load balancers that are clever, not complex. In other words, our products offer the functionality required, but are simpler to implement, easier to use and maintain, and designed to solve the availability, and performance problems of the majority of applications deployed on this planet.

Because, as most people will tell you, unnecessary complexity can leave you vulnerable.

We are not your average load balancing vendor.

We are a commercial business, but heavily reliant on open source software like HAProxy, and make an active contribution to this amazing community.

We believe in the power of open source and, unlike other vendors, are very open about what we use, and why. And when we implement new functionality, we give it back to the community, for example:

Simply put, more eyes means that open source tools are stronger, better, faster and more secure. Which is fundamentally why we believe open source is better than proprietary.

Worried about DDoS attacks?

Should an ADC be your first line of defense?