HTTP/2 Rapid Reset (CVE-2023-44487) highlights a web-scale protocol abuse pattern for DDoS

Posted on Author Steve Granger 0

Answer Brief

Cloudflare documented a record-scale DDoS wave that abused HTTP/2 stream cancellation (RST_STREAM) to generate extreme request rates with a relatively small botnet. The “Rapid Reset” technique (tracked as CVE-2023-44487) exploits HTTP/2’s ability to open many concurrent streams and then instantly cancel them, letting attackers recycle concurrency slots faster than some servers and intermediaries can clean up state. Cloudflare said attacks began Aug. 25, 2023 and peaked just above 201 million requests per second, observed alongside similar activity reported by Google and AWS, prompting coordinated disclosure to vendors and critical infrastructure providers.

Abstract diagram-style illustration of HTTP/2 traffic flowing through edge proxies to backend services, highlighting rapid stream resets and a request-rate spike as an infrastructure risk signal.

Executive Summary: Cloudflare documented a record-scale DDoS wave that abused HTTP/2 stream cancellation (RST_STREAM) to generate extreme request rates with a relatively small botnet. The “Rapid Reset” technique (tracked as CVE-2023-44487) exploits HTTP/2’s ability to open many concurrent streams and then instantly cancel them, letting attackers recycle concurrency slots faster than some servers and intermediaries can clean up state. Cloudflare said attacks began Aug. 25, 2023 and peaked just above 201 million requests per second, observed alongside similar activity reported by Google and AWS, prompting coordinated disclosure to vendors and critical infrastructure providers.

Why It Matters

Cloudflare’s write-up frames Rapid Reset as more than a single implementation bug: it is a repeatable protocol-abuse pattern that leverages a legitimate HTTP/2 feature—per-stream cancellation—to amplify server-side work. HTTP/2 multiplexing enables many in-flight streams per TCP connection, and the protocol allows clients to cancel a stream via RST_STREAM without closing the connection. Cloudflare explains the key asymmetry: canceled streams can transition to “closed” fast on the client side, freeing the client to open new streams immediately, while some servers, proxies, or multi-tier architectures may accumulate cleanup work or downstream dispatch that lags behind the resets. That backlog can translate into disproportionate CPU/memory/queue pressure even when the attacker isn’t maintaining many long-lived connections.

The operational significance is the combination of (1) extremely high request rates (Cloudflare reports a peak just above 201M rps), (2) comparatively small botnet size (~20,000 nodes, per Cloudflare), and (3) broad exposure surface. Because Cloudflare believes the weakness is inherent to HTTP/2 and its implementations, “any vendor that has implemented HTTP/2” may be susceptible—including modern web servers and the intermediaries that commonly sit in front of them (reverse proxies, CDNs, load balancers, API gateways). This is the kind of protocol-level abuse that can propagate across ecosystems: even if an origin server is patched, an upstream proxy tier might still be a chokepoint; conversely, even robust edge mitigation may not protect internal HTTP/2-speaking services if they are directly reachable.

For global cloud and infrastructure risk teams, the Cloudflare/Google/AWS concurrency is itself a signal: when multiple hyperscale operators report the same vector at the same time, it suggests attacker tooling is standardized and scalable, and that the technique is likely to be commoditized across botnets. Cloudflare also notes coordinated disclosure to affected vendors and critical infrastructure providers, which underscores that the blast radius includes not just consumer sites but also services whose availability is nationally or economically sensitive.

Cloudflare states that its automated DDoS systems largely absorbed the initial wave, with about 1% of requests impacted at first, and that mitigations were subsequently refined to stop the method for Cloudflare customers without impacting Cloudflare’s own systems. Those are Cloudflare’s claims about its platform performance; the broader takeaway is that defenses must account for rapid stream churn and the mismatch between client-side cancellation speed and server-side cleanup across multi-hop request paths.

Event Type: security
Importance: high

Affected Companies

  • Amazon Web Services (AWS)
  • Cloudflare
  • Google

Affected Sectors

  • Application delivery / load balancing
  • Cloud infrastructure
  • Content delivery networks (CDN)
  • Cybersecurity
  • Web hosting

Key Numbers

  • Peak attack rate observed by Cloudflare: Just above 201 million requests per second
  • Relative size vs Cloudflare’s prior record: ~3× larger (per Cloudflare)
  • Estimated botnet size used in observed peak: ~20,000 machines (per Cloudflare)
  • Typical total web request volume (context from Cloudflare): ~1–3 billion requests per second
  • Initial customer traffic impact during first wave (Cloudflare): ~1% of requests affected

Timeline

  1. Cloudflare begins observing unusually large HTTP attacks consistent with the Rapid Reset method.
  2. Cloudflare publishes technical breakdown of the HTTP/2 Rapid Reset DDoS wave and mitigations; notes coordinated disclosure with Google and AWS.

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *