Netty 4.1.100.Final released
We are happy to announce the release of netty 4.1.100.Final. This release fixes a HTTP2 DDOS attack vector which effects any HTTP/2 Server, also called "HTTP/2 Rapid Reset Attack". If you use netty to run a HTTP/2 server we urge you to upgrade as soon as possible.
The most important changes are:
- DDoS vector in the HTTP/2 protocol due RST frames (#GHSA-xpw8-rcwv-8f8p)
- Do not fail when compressing empty HttpContent (#13655)
DDOS HTTP/2 protection - HTTP/2 Rapid Reset Attack
As stated above this release includes an by default protection for the HTTP/2 DDOS issue (#GHSA-xpw8-rcwv-8f8p). This is done by limiting the amount of RST frames a remote peer can send on a connection in given time window. You can adjust the configuration of these settings via one of these builders if needed:
Http2ConnectionHandlerBuilder
Http2FrameCodecBuilder
HttpMultiplexCodecBuilder
For more details please visit our bug tracker
Thank You
Every idea and bug-report counts, and so we thought it is worth mentioning those who helped in this area.
Please report an unintended omission.