CVE-2023-44487 Explained: HTTP/2 Rapid Reset — The Record-Breaking DDoS Vulnerability
A design flaw in the HTTP/2 protocol that allows a single client to generate an overwhelming number of request cancellations, producing DDoS attacks an order of magnitude larger than any previously recorded. Cloudflare, Google, and Amazon simultaneously observed record-breaking attacks before coordinated disclosure.
CVE-2023-44487, known as HTTP/2 Rapid Reset, is a DDoS vulnerability in the HTTP/2 protocol that enabled the largest distributed denial-of-service attacks ever recorded. Google sustained a peak of 398 million requests per second. Cloudflare recorded 201 million requests per second. Amazon observed comparable records. All three companies independently detected the attacks in August and September 2023 and coordinated a simultaneous disclosure on October 10, 2023, ensuring patches across major web server implementations were available at the time of public announcement.
The vulnerability is not a code bug in a specific implementation — it is a design issue in the HTTP/2 protocol specification itself. All HTTP/2 server implementations are affected. The attack exploits legitimate HTTP/2 stream management behavior to create a request amplification effect that allows a comparatively small botnet to generate attack volumes previously impossible.
How HTTP/2 Rapid Reset Works: Exploiting Stream Cancellation
HTTP/2 multiplexes many requests over a single TCP connection using numbered streams. A client can send multiple requests simultaneously (up to the server's advertised max concurrent streams limit) and receive responses interleaved on the same connection.
HTTP/2 also allows a client to cancel a request at any time by sending an RST_STREAM frame. The server must immediately stop processing that request. From the server's perspective: the client opened stream 1, the server began processing it, then the client sent RST_STREAM for stream 1, and the server must abandon that work. Meanwhile, the client has already opened streams 3, 5, 7... and is sending RST_STREAM for each of them as well.
The attack exploits the asymmetry between how cheap it is for the client to open-and-reset a stream versus how expensive it is for the server to handle the open request, begin processing, and then handle the RST_STREAM cancellation. By cycling through stream IDs at high speed — opening a request, immediately resetting it, opening the next — a single HTTP/2 connection can generate thousands of 'new request' events per second against the server.
With a botnet of even modest size, and each client running this loop, the aggregate request rate reaches hundreds of millions per second — overwhelming any server's ability to process requests in queue.
Establish HTTP/2 connection to target
Open a standard HTTP/2 connection to the target server. No special privileges or authentication are required. The connection uses normal TLS-encrypted HTTP/2.
Flood with rapid request-then-cancel cycles
Send an HTTP/2 HEADERS frame (initiating a request on a new stream ID), immediately followed by an RST_STREAM frame cancelling the same stream. Repeat at maximum speed for the next stream ID. This creates a cycle of open-cancel-open-cancel at thousands of cycles per second per connection.
Server allocates and frees resources for each request
The server must allocate resources to begin processing each incoming request before it can act on the cancellation. With thousands of streams being opened and cancelled per second, the server's request handler is overwhelmed — spending all its capacity managing the torrent of short-lived requests.
Scale across botnet for record attack volumes
With thousands of clients running this loop simultaneously, the aggregate rate reaches hundreds of millions of requests per second. Legitimate traffic cannot be served. The server becomes unavailable.
Scale of Impact: Why This Attack Is Different
Pre-Rapid Reset, the largest documented HTTP DDoS attack was approximately 71 million requests per second (Cloudflare, February 2023). The Rapid Reset attacks exceeded that record by a factor of 5x (Cloudflare) to more than 5x (Google at 398M RPS).
Cloudflare described the attacks they observed as generated by a botnet of approximately 20,000 machines — a relatively small botnet compared to those used in traditional volumetric attacks. The extreme efficiency of Rapid Reset means that DDoS capability is no longer primarily constrained by the number of attacking clients.
The three-month window between first exploitation (August 2023) and coordinated disclosure (October 2023) reflects the complexity of coordinating patches across dozens of independent web server projects, cloud providers, and infrastructure vendors simultaneously. Google, Cloudflare, and Amazon all implemented their own mitigations independently during this window while working to coordinate the broader disclosure.
“The attack was so large that it went beyond anything the internet had ever seen before. And yet, it was generated by a relatively small botnet of approximately 20,000 machines.”
— Cloudflare Blog, October 2023
Mitigating CVE-2023-44487 in Your Environment
Mitigation requires either patching the HTTP/2 server software or applying configuration-level rate limiting to HTTP/2 stream behaviour.
Update HTTP/2 server software to patched versions
nginx: 1.25.3 or later (or 1.24.0 plus the patch backport). Apache HTTP Server: 2.4.58 or later. HAProxy: see October 2023 advisories for version-specific patches. Microsoft IIS: October 2023 Patch Tuesday update. Envoy: 1.27.1 or later. Confirm your specific version against the vendor's advisory.
Rate-limit HTTP/2 streams per connection
If patching is delayed: reduce the maximum concurrent streams per connection to limit how many rapid-reset cycles each client can generate. In nginx: http2_max_concurrent_streams 64 (default 128). Lower values reduce attack amplification but may impact legitimate high-concurrency clients.
Implement connection-level rate limits at the load balancer or WAF
Rate limit connections per source IP at the load balancer or firewall layer. Detect and block clients sending anomalously high RST_STREAM rates. Many WAF vendors added Rapid Reset specific detection signatures after October 2023.
Evaluate disabling HTTP/2 as a temporary measure
If patching cannot be done immediately and the attack risk is acute: disable HTTP/2 and fall back to HTTP/1.1. This eliminates the Rapid Reset attack surface at the cost of HTTP/2 performance benefits. In nginx: remove http2 from listen directives. This is a temporary measure only.
Engage DDoS protection upstream for volumetric attacks
For internet-facing HTTP/2 services: DDoS protection services (Cloudflare, AWS Shield, Google Cloud Armor) detect and absorb Rapid Reset attacks at the network edge. Scrubbing centres and anycast routing with Rapid Reset signatures are the practical defence for services that cannot tolerate any degradation.
The bottom line
CVE-2023-44487 demonstrates that vulnerability-class thinking must extend to protocol design, not just implementation code. HTTP/2's stream cancellation semantics are working as specified — the exploit is a consequence of how the protocol was designed, not a coding error. All compliant HTTP/2 implementations are affected.
The practical lesson is not that HTTP/2 should be abandoned — it is a significant performance improvement over HTTP/1.1 for most use cases. The lesson is that protocol-level efficiency improvements can also be efficiency improvements for attackers. HTTP/2 Rapid Reset allows each attacker connection to generate far more server-side work than HTTP/1.1 connections could, and that asymmetry was exploited at unprecedented scale.
Patch your HTTP/2 stack, implement connection-level rate limiting, and ensure your DDoS protection service has Rapid Reset awareness. The record-breaking attack volumes demonstrated by Google, Cloudflare, and Amazon confirm that unmitigated Rapid Reset attacks can overwhelm servers regardless of their capacity.
Frequently asked questions
What is CVE-2023-44487 (HTTP/2 Rapid Reset)?
CVE-2023-44487 is a DDoS vulnerability in the HTTP/2 protocol. HTTP/2 allows a client to cancel a request by sending an RST_STREAM frame. An attacker opens many requests and immediately cancels them in rapid succession — faster than the server can process them. The server must allocate resources for each request before it can process the cancellation. This asymmetry allows a small number of clients to overwhelm servers with record-breaking request volumes.
Why is it called 'Rapid Reset'?
Because the attack sends HTTP/2 requests and immediately resets (cancels) them using RST_STREAM frames before the server can respond. The cycle repeats at high speed across multiple concurrent streams, creating a continuous flood of new requests that consume server resources without the connection overhead of traditional HTTP/1.1 DDoS attacks.
What makes HTTP/2 Rapid Reset different from previous DDoS attacks?
Traditional volumetric DDoS attacks require huge numbers of attacking clients to generate high request rates. HTTP/2 Rapid Reset allows each client connection to generate thousands of 'new requests' per second by cycling through stream IDs. A botnet that might generate 1M RPS via HTTP/1.1 can generate orders of magnitude more via HTTP/2 Rapid Reset — the peak attacks exceeded 398M RPS with a comparatively small number of IP addresses.
Was CVE-2023-44487 exploited before it was patched?
Yes. Google, Cloudflare, and Amazon all detected active exploitation against their infrastructure for several weeks before the coordinated disclosure on October 10, 2023. The three companies coordinated disclosure with web server vendors to ensure patches were available simultaneously with the public announcement.
Does CVE-2023-44487 allow data theft or code execution?
No. CVE-2023-44487 is purely a denial-of-service vulnerability. It can make HTTP/2 servers unavailable by exhausting their request handling capacity, but it does not allow an attacker to read data, execute code, bypass authentication, or otherwise compromise server integrity. The impact is availability only.
How do I fix CVE-2023-44487?
Update your HTTP/2 server software: nginx 1.25.3+, Apache HTTP Server 2.4.58+, HAProxy (patched versions in October 2023 advisories), IIS (October 2023 Patch Tuesday), Envoy (1.27.1+). If immediate upgrade is not possible, rate-limit HTTP/2 streams per connection, reduce the maximum number of concurrent streams (e.g., nginx: http2_max_concurrent_streams 64), or temporarily disable HTTP/2 and fall back to HTTP/1.1.
Sources & references
- NVD
- Cloudflare Blog — HTTP/2 Zero-Day Vulnerability Results in Record-Breaking DDoS Attacks
- Google Cloud Blog — How it Works: The Novel HTTP/2 'Rapid Reset' DDoS Attack
- AWS Security Blog — CVE-2023-44487 — HTTP/2 Rapid Reset
- NGINX, Apache HTTP Server, HAProxy security advisories
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, weekly, no spam.
Unsubscribe anytime. We never sell your data.
Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals weekly.