On the recent HTTP/2 DoS attacks

On August 13, 2019, multiple Denial of Service (DoS) vulnerabilities were disclosed for several HTTP/2 server implementations. Cloudflare, which uses NGINX for HTTP/2, has already protected its customers from these attacks. The individual vulnerabilities, discovered by Netflix and included in the announcement, are: CVE-2019-9511 to CVE-2019-9518. As soon as Cloudflare became aware of these vulnerabilities, their Protocols team started working on fixes. They first pushed a patch to detect any attack attempts and then mitigated the vulnerabilities. The changes were rolled out weeks ago, and they continue to monitor similar attacks. Customers who host web services over HTTP/2 on an alternative path not behind Cloudflare are advised to apply the latest security updates to their origin servers for protection against these HTTP/2 vulnerabilities.