A new attack on the implementation of the http/2 protocol has been discovered, making it easier to carry out denial of service attacks by exhausting server resources. This vulnerability, known as madeyoureeset, allows attackers to flood a server with a large number of requests by bypassing established restrictions through manipulations.
An attacker can create numerous simultaneously processed flows, bypassing the settings_max_concurrent_streams limit, and dropping each stream at the initial stage. This reset allows the client to send a continuous flow of requests without waiting for a response from the server, utilizing the full capacity of the communication channel.
By attacking with minimal overhead costs, the client can overwhelm the server with incoming requests while bypassing delays between request and response. This can lead to the server continuing to spend resources on processing these requests, even though they are being dropped at the initial stage.
This vulnerability is similar to a previously known issue called Rapid Reset (CVE-2023-44487) and is caused by discrepancies between the logic of flows in the HTTP/2 protocol specification and its implementations in various servers. The key difference in this new attack is that the server takes the initiative in processing requests, rather than utilizing the Rst_stream flag sent by the client.
The server starts processing a request when incorrect requests are received, but it discards them immediately without full processing. Attackers can exploit this by sending a correct HTTP request followed by an incorrect sequence of HTTP/2 control frames, causing the server to initiate processing and then discard the request.
This vulnerability has been confirmed in http servers like Apache Tomcat, Netty, Eclipse Jetty, and