@adulau This is from Akamai.
I'm not going to alt-text the image since it's only text and it's twice the size of the alt-text limit.. I will add the text in this message below. So the alt-text just the bit after the hashtags.
I don't have a link to the advisory as it was sent through their portal as this text.
#CVE202344487 #HTTP2 #HTTPSRapidResetAttack #RapidResetAttack
#Akamai
#InfoSec

--

Advisory Title: Customers using Akamai Security Products are protected from CVE-2023-44487: HTTP2 Rapid Reset attacks.

This attack, while novel, is at the protocol level and would be mitigated by Akamai on behalf of its customers in the same manner as any other Layer 7 DDoS attack using security product capabilities like Rate Controls, Web Application Firewall (WSA) , Bot Man Premier (BMP) or Client Reputation. No additional specific guidance is presently required to mitigate this threat. However, with the emergence of new threats, we encourage customers to work with their Akamai account team and update their security configurations, including rate controls, to ensure they are properly mitigating Layer 7 DDoS attacks.

Even customers without specific security solutions will benefit from built-in protections on the Akamai platform developed to mitigate this threat.

This attack exploits HTTP2 stream multiplexing, attackers immediately reset a stream after initiating a request, resulting in work on the edge server beyond the intended 100 stream limit. This could trigger tens of thousands of simultaneous requests from one connection. Most major HTTP2 stacks behave similarly, and patches or mitigations should be available on 10th October as well.

Akamai has actively participated in the global response to this vulnerability since August, collaborating with other industry stakeholders until its public announcement on October 10th. Over the course of September, we refined our edge delivery software to better detect and manage such attacks, including limiting streams available to abusive HTTP2 clients.

During the industry-wide confidentiality period, Akamai was bound not to disclose details about this vulnerability. However, we remained in close coordination with our partners to ensure customer protection and actively monitored our platform for this abuse.

Additional Customer Mitigation Guidance:

• For SOCC and security customer mitigations, this should be treated the same as any other L7 DDoS attack.
• Customers with security products in alert mode may observe an increase in attacks when this attack is made public. Customers may want to proactively put their products in deny mode and review or adjust rate controls accordingly.
• Customers without rate controls or other security products in deny mode will have clients limited to 100 simultaneous requests per client connection, as per the HTTP2 specification. If an existing Akamai CDN customer needs protection against L7 DDoS attacks, they are encouraged to add AAP or AAP+ASM products to avail the L7 DDoS protections.
• Prolexic customers should adopt vendor patches or vendor guidance which will be available on 10th October. If vendor mitigations are unavailable or a customer is under attack, the suggested mitigation is to disable HTTP2 until a patch can be applied.
• Customers with origin infrastructure or other services exposed on the internet, not behind Akamai SiteShield or OIPACL should update their vendors software, apply vendor mitigations, or disable HTTP2 until a fix can be applied.