“MadeYouReset”: A New HTTP/2 DDoS Attack Bypasses Rapid Reset Defenses
A newly discovered attack on the HTTP/2 protocol, dubbed MadeYouReset, has been unveiled by researchers from Tel Aviv University and disclosed following coordinated reporting through Akamai’s bug bounty program. Although Akamai’s own HTTP/2 implementation proved resilient, the company considered it important to detail both the context and the underlying vulnerability. The flaw arises from a stream-handling logic issue: a client deliberately sends malformed control messages, compelling the server to reset the stream. Once reset, the client can immediately open a new stream—without waiting for confirmation—effectively bypassing limits on the number of active connections.
The attack mechanism bears resemblance to the widely publicized 2023 HTTP/2 Rapid Reset vulnerability (CVE-2023-44487), which enabled large-scale Layer 7 DDoS attacks by quickly cancelling costly requests and immediately initiating new ones. In its classic form, a client at the stream limit would close one stream and instantly open another, technically staying within protocol rules. This burdened the server with an endless cycle of resource-intensive requests.
MadeYouReset employs a different vector: rather than relying on client-initiated resets, the attacker manipulates the server into performing the reset by sending messages with invalid lengths, extraneous or zero flow-control credits, or data after the request has concluded. This approach bypasses some of the simplified safeguards introduced after Rapid Reset, which monitored only the number of resets initiated by clients.
According to Akamai, fewer HTTP/2 implementations were vulnerable to MadeYouReset, thanks in part to mitigations introduced after the 2023 incidents. Nonetheless, several stacks were affected, prompting coordinated patch development through CERT. No live attacks using this new method have been observed, and the vulnerability was addressed before any known exploitation. Each affected implementation received its own CVE identifier, as the nature of the flaw varied across systems.
Importantly, such attacks are not exclusive to HTTP/2. In HTTP/3, which uses the QUIC transport protocol, stream management is largely handled at the transport layer, reducing—but not eliminating—the risk of similar logic errors. Even here, past issues have been found in areas such as route validation and connection identifier handling, with fixes applied through closed disclosure and patch releases prior to public revelation.
Akamai emphasizes that episodes like this highlight the quiet yet crucial machinery of the internet’s collective defense—cooperation between vendors, researchers, and coordination centers—preventing large-scale failures long before end users ever notice their potential impact.
