HTTP/2 Rapid Reset Attack Triggers Record DDoS Events
Researchers uncover a protocol-level weakness in HTTP/2 enabling attackers to launch extremely powerful distributed denial-of-service attacks against web infrastructure.
Overview
In October 2023, major internet infrastructure providers disclosed a new attack technique capable of generating extremely powerful distributed denial-of-service (DDoS) events. The technique, later referred to as the HTTP/2 Rapid Reset attack, exploited characteristics of the HTTP/2 protocol to overwhelm servers with large volumes of request traffic.
Security teams from multiple organizations observed attack waves reaching unprecedented scale. Some events exceeded hundreds of millions of requests per second, setting new records for application-layer DDoS activity.
Because the attack relied on normal protocol behavior rather than malformed traffic, many traditional mitigation mechanisms initially struggled to detect or block the activity.
How the Rapid Reset Technique Works
HTTP/2 allows clients to open multiple request streams within a single connection. The Rapid Reset technique abuses this capability by repeatedly opening request streams and immediately cancelling them.
By rapidly initiating and cancelling streams, attackers force servers to continuously allocate resources for requests that are never completed. This process generates significant processing overhead while allowing attackers to send relatively small amounts of traffic.
When executed across large numbers of systems, the technique can create enormous volumes of request activity directed toward a target service.
This pattern falls within the broader category of distributed denial-of-service attacks that aim to exhaust infrastructure resources and disrupt service availability.
Attack Infrastructure
Investigations suggested that attackers used networks of compromised systems to generate traffic associated with the Rapid Reset technique. These distributed networks are commonly referred to as botnets.
Botnets allow attackers to coordinate large numbers of devices simultaneously, creating massive traffic volumes that can overwhelm internet-facing services.
Because many compromised devices may be geographically distributed, mitigation becomes more complex than blocking traffic from a single source.
Why the Attack Was Significant
The Rapid Reset technique demonstrated that weaknesses in widely used internet protocols can create unexpected opportunities for attackers.
HTTP/2 is widely deployed across web servers, content delivery networks, and cloud platforms. As a result, the discovery of an attack method capable of generating enormous request volumes immediately raised concerns about the resilience of global web infrastructure.
Unlike earlier volumetric DDoS attacks that relied on large amounts of bandwidth, this method leveraged protocol behavior to amplify the effect of relatively modest traffic generation.
This made the technique particularly efficient for attackers.
Defensive Measures
Following the disclosure of the attack method, infrastructure providers and software vendors implemented a range of mitigations.
These included rate-limiting mechanisms, connection management changes, and improvements to how servers process cancelled HTTP/2 requests.
Content delivery networks and cloud platforms deployed protective controls designed to identify and block abusive request patterns associated with the Rapid Reset technique.
Organizations operating internet-facing services were encouraged to update server software and ensure that upstream infrastructure providers had deployed mitigation controls.
Analytical Perspective
The Rapid Reset attack highlights an important reality about internet-scale security: even well-established protocols can contain behaviors that attackers may eventually weaponize.
Modern DDoS campaigns increasingly rely on creative abuse of protocol features rather than simply generating large traffic volumes.
This trend reflects a broader shift in attacker strategy. Instead of relying purely on brute-force traffic generation, adversaries often identify subtle design characteristics within widely deployed technologies and turn them into amplification mechanisms.
Understanding how these attacks evolve is an essential part of modern defensive strategy, particularly as the internet continues to depend on complex layered protocols.
The Rapid Reset incident demonstrates how protocol-level weaknesses can rapidly translate into global-scale attack techniques when exploited by coordinated adversaries.