Improved Protection for Angie and Angie PRO Against DoS Attacks#

18.10.2023

The company "Web-Server" announced the release of version 1.3.1 for Angie and Angie PRO.

The company "Web-Server" announced the release of version 1.3.1 for Angie and Angie PRO.

This release includes changes, including restrictions on data streams over the HTTP/2 protocol, which enhances protection against the "HTTP/2 Rapid Reset" DoS attack. The company "Web-Server" does not believe that Angie is vulnerable to this issue; however, it has decided to take additional precautions.

Angie 1.3.1 and Angie PRO 1.3.1 represent an important step in the development of the Russian web server. The updated versions provide a higher level of security and performance.

Earlier, on October 11, Google reported <https://www.opennet.ru/opennews/art.shtml?num=59901/> the largest DDoS attack on its infrastructure, with an intensity of 398 million requests per second. The new attack technique has been named "Rapid Reset" and exploits the multiplexing capabilities provided by HTTP/2, allowing for the formation of a stream of requests within an already established connection, without opening new network connections and without waiting for packet acknowledgment. The vulnerability is viewed as a consequence of shortcomings in the HTTP/2 protocol, which states in its specification that when attempting to open too many streams, only the streams exceeding the limit should be canceled, without closing the entire network connection.