[comice]

Nice to see that the haproxy people had spotted this kind of issue with http/2 and apparently mitigated it back in 2018: https://www.mail-archive.com/haproxy@formilux.org/msg44134.h...

[jabart]

Nice, I was looking for this type of information for haproxy. Gives me a lot of confidence in their new QUIC feature.

[vdfs]

If anyone is curios, Nginx is vulnerable to this

https://www.nginx.com/blog/http-2-rapid-reset-attack-impacti...

[obituary_latte]

IF configured away from the defaults:

By relying on the default keepalive limit, NGINX prevents this type of attack. Creating additional connections to circumvent this limit exposes bad actors via standard layer 4 monitoring and alerting tools.

However, if NGINX is configured with a keepalive that is substantially higher than the default and recommended setting, the attack may deplete system resources.