After CVE-2026-23918 got patched, a lot of operators realized Apache's default logging doesn't actually surface HTTP/2 stream-level abuse. The attack signatures just don't show up in a standard access log.
The fix is straightforward: turn on LogLevel http2:debug during incident investigations.
What to look for
High-volume RST_STREAM frames from a single IP are the main signature. If you're also seeing worker segfaults in the same window, that's a pretty reliable combination pointing at active exploitation rather than normal traffic quirks.
Why not leave it on
Debug-level HTTP/2 logging is verbose. In a moderately busy production environment it generates a lot of output very quickly. It's the kind of thing you want disabled by default and enabled only when you're actively hunting something or responding to an incident.
How to enable it safely
# In your vhost or server config
LogLevel http2:debug
Then watch your error log for RST_STREAM patterns:
tail -f /var/log/apache2/error.log | grep -i "http2"
When you've got what you need, dial it back:
LogLevel http2:warn
The practical upside
If you're already running Apache with HTTP/2 enabled and you've never touched this setting, you're flying partly blind on a known attack vector. Enabling debug logging temporarily takes maybe two minutes and gives you visibility into something that default logging silently drops. Not a bad trade for incident response scenarios.
This isn't a replacement for a WAF or proper rate limiting, but it's a useful diagnostic tool that costs almost nothing to have ready for the next time something weird shows up in your traffic.
—
Cover image: Datadog research on HTTP/2 abuse detection in Apache logs
Top comments (0)