Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
romank
New Contributor III

Created on ‎10-16-2023 02:09 AM Edited on ‎10-16-2023 02:10 AM

HTTP/2 Max Requests in HTTP Protocol Constraints for protection against HTTP/2 Rapid Reset Attack

Hello.

Regarding:

https://community.fortinet.com/t5/FortiWeb/Outbreak-Alert-HTTP-2-Rapid-Reset-Attack-and-Mitigation/ta-p/278958

 

Topic is about "HTTP/2", so question is, if some service isnt using HTTP/2 scheme, then is it vuln?

Please see attached screenshot example?

 

WAF_Http2_vuln.png

rkr
rkr
Labels:
689
0 Kudos
1 Solution
srajeswaran
Staff
Staff
In response to romank

Created on ‎10-16-2023 04:24 AM

Your understanding is correct.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

645
5 REPLIES 5
srajeswaran
Staff
Staff

Created on ‎10-16-2023 02:21 AM

This attack leverages a flaw in the implementation of protocol HTTP/2, so if your server don't use HTTP/2, then the attack don't affect it.

 

https://www.fortiguard.com/threat-signal-report/5286/http-2-rapid-reset-attack

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

680
romank
New Contributor III
In response to srajeswaran

Created on ‎10-16-2023 02:23 AM Edited on ‎10-16-2023 02:28 AM

Destination server may use, but what if fortiweb has it ticked on? or opposite? 

rkr
rkr
677
0 Kudos
srajeswaran
Staff
Staff
In response to romank

Created on ‎10-16-2023 02:33 AM

I believe the screenshot is from a server policy config , if so unless you enable this option FortiWeb won't negotiate the HTTP/2 connections with the clients.

 

ref: https://help.fortinet.com/fweb/582/Content/FortiWeb/fortiweb-admin/configure_server_policy.htm

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

673
0 Kudos
romank
New Contributor III
In response to srajeswaran

Created on ‎10-16-2023 04:09 AM Edited on ‎10-16-2023 04:11 AM

yeap screenshot is from Server policy config, so theoretically IF its not ticked(on) then scheme is taken from destination server itself :) Or by default, FortiWeb is using /1.1 ? and If, lets say that my destination server is able to use http/2 but http/2 isnt ticked on server policy, will it use 1.1 or http/2(from srv)?

My understanding is that, it should use 1.1 if http/2 isnt ticked on. Cuz client is connectiong with WAF first, and then forwarded to dest server ;) 

rkr
rkr
650
0 Kudos
srajeswaran
Staff
Staff
In response to romank

Created on ‎10-16-2023 04:24 AM

Your understanding is correct.

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

646
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.