In August 2023, Google, Cloudflare, and AWS all faced the largest DDoS attacks ever recorded — up to 398 million requests per second. The cause: a novel exploit in the HTTP/2 protocol now known as Rapid Reset (CVE-2023-44487). All three companies patched in coordination before disclosing publicly.
How HTTP/2 Rapid Reset Works
HTTP/2 allows multiplexing — many requests over a single TCP connection. The RST_STREAM frame lets a client cancel a request immediately after sending it. Rapid Reset exploits this by sending a continuous stream of request/RST_STREAM pairs, forcing the server to process request setup and teardown at extreme rates without maintaining long-lived connections.
Why it's devastating
A small botnet of 20,000 machines generated 398 million RPS against Google. A comparable HTTP/1.1 attack would require 100x more bots. HTTP/2's efficiency is the vulnerability.
Mitigation
- Patch your HTTP/2 implementation — all major web servers have fixes.
- Limit SETTINGS_MAX_CONCURRENT_STREAMS at the server or proxy level.
- Rate-limit RST_STREAM frames per connection.
- Deploy a reverse proxy scrubbing layer — Akarguard's proxy terminates HTTP/2 on behalf of your origin, so unpatched origins are protected.
Lessons for Defense
Rapid Reset demonstrated that protocol-level vulnerabilities can produce attack scale that overwhelms even the largest internet infrastructure. Having a scrubbing proxy that terminates the transport layer independently of your origin servers is no longer optional for any serious service.