Readit News logoReadit News
Posted by u/neustradamus 2 years ago
Apache HTTP Server 2.4.58 (CVE fixes)downloads.apache.org/http...
teddyh · 2 years ago
Previous discussions:

<https://news.ycombinator.com/item?id=37830987>

<https://news.ycombinator.com/item?id=37830998>

<https://news.ycombinator.com/item?id=37831004>

dang · 2 years ago
Thanks! Macroexpanded:

HTTP/2 Rapid Reset: deconstructing the record-breaking attack - https://news.ycombinator.com/item?id=37831004 - Oct 2023 (23 comments)

HTTP/2 zero-day vulnerability results in record-breaking DDoS attacks - https://news.ycombinator.com/item?id=37830998 - Oct 2023 (71 comments)

The novel HTTP/2 'Rapid Reset' DDoS attack - https://news.ycombinator.com/item?id=37830987 - Oct 2023 (106 comments)

nologic01 · 2 years ago
"The early Apache server was a big hit, but we all knew that the codebase needed a general overhaul and redesign."

From the README of the apache_1.3.0 distribution (April 1998) https://archive.apache.org/dist/httpd/

Love this project. It changed the world and it still goes strong. The closest to "forever software"?

seabrookmx · 2 years ago
Up there with gcc and OpenSSH.
skilled · 2 years ago
Relevant,

HTTP/2 Rapid Reset and Apache

https://github.com/icing/blog/blob/main/h2-rapid-reset.md

Apache httpd 2.4.58

https://github.com/icing/blog/blob/main/httpd-2.4.58.md

Deleted Comment

m00dy · 2 years ago
for PoC in Rust, https://github.com/m00dy/r4p1d-r3s3t
Yhippa · 2 years ago
A Patchy Server has come such a long way.
zeroimpl · 2 years ago
Surprising to see stuff like this included in a patch release:

    core: Updated conf/mime.types:
     - .js moved from 'application/javascript' to 'text/javascript'
That’s probably going to break something for somebody.

secondcoming · 2 years ago
Is HTTP/2 just too complex for a mere mortal to implement?
supriyo-biswas · 2 years ago
No, but QUIC definitely falls in the overly complicated category, spanning multiple, large RFCs.

This attack is just about failing to enforce the negotiated parameters during the start phase of the connection.

mnot · 2 years ago
Wait till you see the TCP RFCs…
nijave · 2 years ago
I don't think this has too much to do with the spec and more about discovering and preventing DoS vectors.
pornel · 2 years ago
Also HAProxy managed to predict and mitigate this issue 5 years ago.
gustavus · 2 years ago
Sounds like the OAuth2 spec.
unilynx · 2 years ago
Well have you seen oauth1? So much trouble to be able to support non-secure HTTP.

Deleted Comment

Dead Comment