‘MadeYouReset’ HTTP2 Vulnerability Enables Massive DDoS Attacks
securityweek
Researchers have discovered another attack vector that can be exploited to launch massive distributed denial-of-service (DDoS) attacks.
The attack, dubbed MadeYouReset, is similar to Rapid Reset, which in 2023 was exploited in zero-day attacks that broke DDoS records in terms of requests per second (RPS).
MadeYouReset, discovered by researchers at security firm Imperva and Tel Aviv University in Israel, leverages a design flaw in HTTP2 implementations.
“HTTP/2 introduced stream cancellation – the ability of both client and server to immediately close a stream at any time. However, after a stream is canceled, many implementations keep processing the request, compute the response, but don’t send it back to the client,” the CERT/CC at Carnegie Mellon University explained in an advisory. “This creates a mismatch between the amount of active streams from the HTTP/2 point of view, and the actual active HTTP requests the backend server is processing.”
“By ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE