HTTP/2 Rapid Reset: Breaking the Web's Speed Limit
Back to Blog
Network Security
Oct 10, 202312 min read

HTTP/2 Rapid Reset: Breaking the Web's Speed Limit

S
Shubham Singla

In August 2023, the internet faced a tsunami. Cloudflare reported an attack peaking at 201 million requests per second. It was the largest DDoS attack in history, and it didn't use a massive botnet. It exploited a flaw in the fundamental design of the web: HTTP/2.

DDoS Traffic Spike

Executive Summary

HTTP/2 Rapid Reset (CVE-2023-44487) is a zero-day vulnerability in the HTTP/2 protocol. It allows an attacker to generate an enormous amount of work for a server while expending very little effort themselves, leading to a Denial of Service (DoS).

This asymmetry allowed attackers to generate traffic volumes 3x larger than the previous world record, using a botnet only 1/10th the size. It affected every major web server: Nginx, Apache, IIS, and Cloudflare/AWS/Google infrastructure.

The Protocol Flaw: Multiplexing Gone Wrong

HTTP/2 introduced a feature called Stream Multiplexing. In HTTP/1.1, you had to open a new TCP connection for every file you wanted to download (or wait in line). In HTTP/2, you can send multiple requests (streams) over a single TCP connection simultaneously.

HTTP/2 also introduced the RST_STREAM frame. This allows a client to say, "Actually, I don't need that image anymore, cancel it." The server then stops processing that stream to save resources.

The Attack

The Rapid Reset attack involves a client opening hundreds of streams at once and then immediately sending a RST_STREAM for all of them.

Client -> HEADERS (Stream 1)
Client -> HEADERS (Stream 2)
Client -> HEADERS (Stream 3)
...
Client -> RST_STREAM (Stream 1)
Client -> RST_STREAM (Stream 2)
Client -> RST_STREAM (Stream 3)

The server does the work of allocating memory and parsing the request headers for Stream 1, but before it can even send a byte of data back, the client cancels it. This completely bypasses the server's "Concurrent Stream Limit" because as soon as you cancel Stream 1, you are allowed to open Stream 101. The attacker can loop this millions of times per second.

Protocol Abuse

Technical Deep Dive: The Attack Anatomy

Understanding the specific mechanics of the attack is crucial for engineers. Most advanced threats follow the Cyber Kill Chain model:

RECONNAISSANCE: The attacker gathers information on the target. This can be passive (OSINT) or active (port scanning).

WEAPONIZATION: Creating a deliverable payload (e.g., a malicious PDF or Office macro).

DELIVERY: Transmitting the weapon to the target (e.g., via Phishing or USB).

EXPLOITATION: Triggering the payload to exploit a vulnerability (e.g., CVE-2023-xyz).

INSTALLATION: establishing a backdoor or persistence mechanism (e.g., a scheduled task or registry key).

COMMAND & CONTROL (C2): The compromised system calls home to the attacker server for instructions.

ACTIONS ON OBJECTIVES: The attacker achieves their goal (encryption, extensive data exfiltration, destruction).

Vendor Response

The tech giants (Google, AWS, Cloudflare) kept this secret for weeks while they patched their edge networks. When they disclosed it in October, they revealed the scale of the threat.

It was a rare instance of industry-wide collaboration. Because the flaw was in the protocol definition (RFC 7540), virtually every web server in the world was vulnerable by default.

Regulatory and Compliance Context

In the aftermath of such incidents, organizations must navigate a complex web of regulatory obligations. Failure to comply can result in severe fines and reputational damage.

GDPR (General Data Protection Regulation)

For organizations operating in or serving citizens of the EU, GDPR mandates strict breach notification timelines (usually within 72 hours). Article 32 requires the implementation of appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

NIST Cybersecurity Framework

The NIST framework provides a standard for critical infrastructure. It is organized around five core functions: Identify, Protect, Detect, Respond, and Recover. This incident highlights failures primarily in the 'Protect' and 'Detect' functions.

Local Legislation (Privacy Act 1988 - Australia)

Under the Notifiable Data Breaches (NDB) scheme, organizations must notify the OAIC and affected individuals if a data breach is likely to result in serious harm. This includes unauthorized access to personal information.

Mitigation

You cannot "fix" the protocol without breaking backward compatibility. The fix involves implementing "flood protection" logic in the server software:

  • Limit RST_STREAM rates: If a client cancels too many streams too quickly, drop the entire TCP connection (GoAway frame).
  • Patch Management: Update Nginx to 1.25.3+ or Apache Tomcat to 10.1.14+.

Standard Incident Response Procedures

A robust Incident Response Plan (IRP) is the best defense against chaos. The SANS Institute outlines a six-step process:

  1. Preparation: Training, tooling, and dry runs (tabletop exercises).
  2. Identification: Detecting the deviation from normal behavior and determining the scope.
  3. Containment: Short-term mitigation (isolating the system) and long-term containment (patching).
  4. Eradication: Removing the root cause (malware, compromised accounts).
  5. Recovery: Restoring systems to normal operation and monitoring for recurrence.
  6. Lessons Learned: Post-incident analysis to improve future response.

The Future of Protocols

This incident highlights the complexity of modern standards. HTTP/3 (QUIC) is even more complex, running over UDP. Complexity is the enemy of security. As we strive for milliseconds of performance gain, we often introduce logical flaws that attackers exploit for massive disruption.

Comprehensive Mitigation Strategies

To prevent recurrence, a defense-in-depth approach is required. This involves layering security controls so that if one fails, another catches the threat.

  • Network Segmentation: Isolate critical assets in separate VLANs with strict firewall rules (East-West traffic inspection).
  • Endpoint Detection and Response (EDR): Deploy agents that can detect behavioral anomalies, not just file signatures.
  • Identity and Access Management (IAM): Enforce Least Privilege and MFA everywhere. Review access logs regularly.
  • Regular Audits: Conduct penetration testing and vulnerability scanning (using tools like Nessus or Burp Suite) at least quarterly.