Akka HTTP rapid reset denial of service
Description of Vulnerability
A widespread HTTP/2 server vulnerability where a client issues rapid HTTP/2 reset frames and thereby sidesteps the protection against unlimited resource consumption built into the protocol.
Severity
The CVSS score of this vulnerability is 7.5, based on vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Impact
The quick sequence of requests can possibly trigger of expensive requests on the server, depending on the application logic built on top of Akka HTTP/2, at a low cost for the abusing client, allowing for denial of service attacks.
Akka HTTP/2 servers running behind a proxy are likely protected by the proxy, given that it has protective measurements against this vulnerability.
Resolution
Starting from Akka HTTP 10.5.3 a reset frame rate limit is present in the HTTP/2 server.
The rate limit is configurable through settings akka.http.server.http2.max-resets and akka.http.server.http2.max-resets-interval with a default limit of 400 resets per 10s and connection.
Once a connection hits the limit it is closed.