HTTP/2 Rapid Reset DDoS Attack (CVSS 7.5)

🏭 IETF (Protocol-Level)CWE-400#DDoS#HTTP/2#Protocol#Infrastructure

7.5High

010.0

Vulnerability Description

A zero-day vulnerability in the HTTP/2 protocol allows attackers to launch massive record-breaking DDoS attacks by weaponizing the RST_STREAM/HEADERS frame cancellation mechanism to overwhelm servers without resource consumption on the attacker side.

Recommended Mitigation

Apply vendor-specific patches for your HTTP/2 server. Limit maximum concurrent streams per connection. Enable HTTP/2 flood protection on WAF/CDN.

Affected Products

NGINX

Apache httpd

Envoy

Go net/http

Node.js

gRPC

Version constraint: All HTTP/2 server implementations before vendor-specific patches

Official References

https://cloud.google.com/blog/products/identity-security/google-cloud-armored-against-http2-rapid-reset-ddos-attacks https://nvd.nist.gov/vuln/detail/CVE-2023-44487

Quick Facts

Published: 2023-10-10
Last Modified: 2023-10-16
Vendor: IETF (Protocol-Level)
CWE: CWE-400
Exploit: ⚠️ Public Exploit Exists

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

View on NVD ← Back to Advisory Feed