CVE-2023-44487: HTTP/2 Rapid Reset Attack (Not Vulnerable)
CVE-2023-44487: HTTP/2 Rapid Reset Attack (Not Vulnerable)
10 October 2023, 13:50 UTC
10 October 2023, 13:50 UTC
In late August 2023, Fastly Engineers became aware of a series of DDoS attacks against sites hosted by Fastly that employed the novel amplification mechanism described in CVE-2023-44487.
During these attacks, parts of our network experienced high volumes of traffic and customers may have seen intermittent slowness and elevated errors as a result.
In September 2023, Fastly deployed targeted mitigations which minimized the effectiveness of this type of attack, and deployed a series of improvements to our TLS termination engine that fully mitigates this and similar class of attacks on our network. As a result, CVE-2023-44487, reported on the 10th of October 2023, does not present any further risk to our network or our customers.
We are preparing a Fastly Blog post that will be shared on our https://www.fastly.com/blog site which will describe the actions Fastly took in more detail. Once the blog has been posted, we will share that link as an update to this status post.
25 October 2023, 18:00 UTC
25 October 2023, 18:00 UTC
Fastly has published a blog post outlining How Fastly Protects its customers from Massive DDoS threats, including the Rapid Reset attack.
We would like to thank our customers for their patience as we conducted further reviews of the details described in CVE-2023-44487 and prepared our response. For any remaining inquiries, please reach out to our Support team through https://support.fastly.com.