Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

[CVSS 7+] Unprecedented HTTP/2 DDoS Attack

Executive Summary

An Internet-wide zero-day vulnerability known as “HTTP/2 Rapid Reset” has fueled the largest-ever distributed denial-of-service (DDoS) attack, causing significant disruptions and outages.

The vulnerability affects various internet-exposed HTTP/2 endpoints, including web servers, reverse proxies, and other software handling HTTP/2 traffic.

This attack marks a significant evolution in the landscape of DDoS threats, demanding proactive measures to address it.

Cloud providers such as Amazon Web Services, Cloudflare, and Google Cloud observed the attack and collaborated to minimize its impact. However, organizations still need to proactively patch their HTTP/2 instances to protect against this vulnerability.

About the Vulnerability

The vulnerability, known as “HTTP/2 Rapid Reset” and tracked as CVE-2023-44487, affects HTTP/2 protocol and carries a high-severity CVSS score of 7.5.

HTTP/2 is a fundamental component of how the Internet and most websites function. It enables a more efficient use of network resources and a reduced latency by introducing field compression and allowing multiple concurrent exchanges on the same connection.

The vulnerability impacts internet-exposed HTTP/2 endpoints, including web servers, reverse proxies, and other software processing HTTP/2 traffic.

Attackers exploit this vulnerability by making a large number of HTTP/2 requests and immediately canceling them. This automated pattern overwhelms websites and disrupts services that rely on HTTP/2.

On October 10th, CISA has issued an alert about the HTTP/2 Rapid Reset vulnerability, which has been exploited in the wild in August 2023 through October 2023.

About the DDoS Attack

The Rapid Reset DDoS attack technique involves making hundreds of thousands of HTTP/2 requests and immediately canceling them. By automating this pattern at scale, threat actors overwhelm servers and applications supporting HTTP/2.

The attack has been used with a relatively small botnet, yet it can generate a significant volume of requests. During the peak of the August campaign, cloud providers observed an unprecedented number of requests per second, breaking previous records.

According to Cloudflare, they saw more than 201 million requests per second (rps), while Google observed a peak of 398 million rps. Additionally, AWS detected a peak of more than 155 million rps targeted at the Amazon CloudFront service.

This attack technique represents a major shift in DDoS threats and their scale, emphasizing the importance of being prepared to defend against such attacks.


Organizations that offer HTTP/2 services should promptly apply patches as they become available. Disabling the HTTP/2 protocol could be considered as a last resort.

To protect against DDoS threats, organizations are advised to take proactive measures, including:

  • Understand and address any internet-facing systems using the mitigations provided by vendors.
  • Evaluate and strengthen existing security protections and capabilities.
  • Implement DDoS protection measures outside of the data center.
  • Deploy DDoS protection for applications, network traffic, and API firewalls.
  • Ensure that web servers and operating systems are kept up to date with the latest patches.

For more information on preventing, detecting, and responding to DDoS attacks, please refer to CISA’s guidance.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.