关联漏洞
标题:
Apache HTTP/2 资源管理错误漏洞
(CVE-2023-44487)
描述:HTTP/2是超文本传输协议的第二版,主要用于保证客户机与服务器之间的通信。 Apache HTTP/2存在安全漏洞。攻击者利用该漏洞导致系统拒绝服务。以下产品和版本受到影响:.NET 6.0,ASP.NET Core 6.0,.NET 7.0,Microsoft Visual Studio 2022 version 17.2,Microsoft Visual Studio 2022 version 17.4,Microsoft Visual Studio 2022 version 17.6,Micros
描述
A tool to check how well a system can handle Rapid Reset DDoS attacks (CVE-2023-44487).
介绍
# HTTP/2 Rapid Reset Client (C#)
The HTTP/2 Rapid Reset Client, implemented in C#, is designed for testing mitigations and assessing vulnerability to the CVE-2023-44487 (Rapid Reset DDoS attack vector). This client establishes a lone TCP socket, conducts TLS negotiation while disregarding certificates, and engages in the exchange of SETTINGS frames. Subsequently, the client swiftly dispatches HEADERS frames, succeeded by RST_STREAM frames. It actively monitors server frames post-initial setup and outputs them to the console.
## Prerequisites
- [.NET SDK](https://dotnet.microsoft.com/download)
## Installation
### Clone the Repository
```
git clone https://github.com/terrorist/HTTP-2-Rapid-Reset-Client.git
```
### Installing
```
cd Http2Attack
// make sure to change the hard coded arguments before building the .exe
dotnet build -o Http2Attack
```
### Hard coded arguments
- `requests`: The count of requests to be sent (default is 5)
- `url`: The URL of the server (default is https://localhost:443)
- `wait`: The time, in milliseconds, to wait between starting workers (default is 0)
- `delay`: The delay, in milliseconds, between sending HEADERS and RST_STREAM frames (default is 0)
- `concurrency`: The maximum number of concurrent workers (default is 0)
## Built With
- [System.Net.Http](https://docs.microsoft.com/en-us/dotnet/api/system.net.http) - .NET library for sending HTTP requests and receiving HTTP responses.
## License
This project is licensed under the Apache License - see the [LICENSE](LICENSE) file for details
## Acknowledgments
This work is based on the [initial analysis of CVE-2023-44487](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack) by Juho Snellman and Daniele Iamartino at Google.
文件快照
[4.0K] /data/pocs/b4462d56e6c516733ad2722215e1f8a5f8f970e5
├── [4.0K] Http2Attack
│ ├── [ 239] Http2Attack.csproj
│ └── [4.4K] Program.cs
├── [1.1K] Http2Attack.sln
├── [ 11K] LICENSE
└── [1.8K] README.md
1 directory, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。