HTTP/2 Rapid Reset Attack CVE-2023–44487
7 min readAug 10, 2024
Here, I will share a powerful Go script that can be used to attack an HTTP/2 site with millions of requests/sec and discuss methods for mitigating such attacks..
Introduction
A critical zero-day vulnerability known as the “HTTP/2 Rapid Reset” attack was uncovered by Cloudflare, alongside industry giants Google and Amazon AWS. This vulnerability targets the HTTP/2 protocol, enabling attackers to unleash hyper-volumetric Distributed Denial of Service (DDoS) attacks at an unprecedented scale.
Working and Feature of the HTTP2
- Stream Multiplexing: HTTP/2 introduces the concept of “streams,” which are bidirectional communication channels within a single TCP connection. This allows multiple HTTP requests and responses to be sent simultaneously over one connection, significantly improving the efficiency of data transfer.
- Efficient Use of Connections: Unlike HTTP/1.1, where each request is handled sequentially, HTTP/2 allows for multiple requests to be processed in parallel over a single connection. This reduces latency and increases the throughput of each connection.
- Minimized Latency: HTTP/2’s stream multiplexing reduces the need for multiple TCP connections, which minimizes the overhead associated with connection setup, such…