Gigantic cloud platforms issue warnings over overwhelming DDoS assaults reaching new heights
In the digital world, a significant threat has emerged this year, as cybercriminals have exploited the HTTP/2 Rapid Reset zero-day vulnerability, tracked as CVE-2023-44487, to launch unprecedented DDoS attacks.
This vulnerability, primarily used to induce denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks, has been abused by attackers to cause excessive resets from clients, overwhelming server resources and disrupting legitimate traffic. According to Cloudflare's Chief Security Officer (CSO), Grant Bourzikas, this zero-day provides threat actors with a critical new tool for attacking victims at a magnitude never seen before.
The Rapid Reset attack is a form of asymmetric DDoS attack because the attack cost to the attacker is low, while imposing a disproportionately high processing burden on the server. This makes it an effective amplification vector, similar to asymmetric query attacks.
Following the discovery of Rapid Reset, a related and more potent attack called MadeYouReset (CVE-2025-8671) emerged in 2025. MadeYouReset builds on Rapid Reset by bypassing server-imposed request limits, allowing attackers to create even larger-scale DoS conditions by overwhelming server resources with thousands of HTTP/2 streams reset requests.
Major infrastructure providers like GitHub and Apache have confirmed they are not affected by the original Rapid Reset or variants like MadeYouReset. However, many vendors have implemented mitigations, such as rate-limiting RST_STREAM frames from clients, to reduce the effectiveness of these attacks. Coordination among researchers and vendors continues to address these protocol-level weaknesses and enhance mitigation strategies.
The attacks have reached a record-breaking scale, with Google observing peaks at 398 million requests per second. AWS detected an unusual spike in requests at 155 million requests per second on Aug. 28-29. Cloudflare's CSO, Grant Bourzikas, reported that they handled these mass exploits of the zero-day vulnerability at about 201 million requests per second at their peak.
The modestly-sized botnet used in these attacks consists of roughly 20,000 machines, according to Cloudflare's CSO. Malicious clients can make expensive requests using relatively little compute power or packet space due to the client/server nature of HTTP and most of the web.
David Holmes, a principal analyst at Forrester, states that HTTP/2 Rapid Reset remains just an optimization of an older attack method called asymmetric query attacks. An example given by Holmes is a malicious client requesting a large PDF a hundred times a second for a couple of hours. The vulnerability allows attackers to make hundreds of thousands of requests and then immediately cancel them, overwhelming the site.
The attacks are being warned about by security researchers. With a high severity CVSS score of 7.5, this vulnerability poses a serious threat to websites worldwide. The attacks surpass the peak DDoS attack observed during 2022, which topped off at 46 million requests per second.
Despite these challenges, the digital community remains vigilant, working together to mitigate these threats and enhance the security of the web.
- The high severity zero-day vulnerability called CVE-2023-44487 in HTTP/2, exploited for massive DDoS attacks, has caused significant concern within the data-and-cloud-computing sector, especially in cybersecurity, as it poses a serious threat to websites worldwide.
- In the realm of technology, the newest and more potent attack dubbed MadeYouReset (CVE-2025-8671) was discovered in 2025, capitalizing on the Rapid Reset vulnerability, bypassing server-imposed request limits, and causing even larger-scale cybersecurity disruptions by overwhelming server resources with thousands of HTTP/2 streams reset requests.
