Skip to content

Instantly share code, notes, and snippets.

Last active June 27, 2024 16:52
Show Gist options
  • Save adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088 to your computer and use it in GitHub Desktop.
Save adulau/7c2bfb8e9cdbe4b35a5e131c66a0c088 to your computer and use it in GitHub Desktop.
HTTP/2 Rapid Reset DDoS Attack


This Gist aims to centralise the most relevant public sources of information related to the HTTP/2 Rapid Reset vulnerability. This vulnerability has been disclosed jointly by Google, Amazon AWS, and Cloudflare on 10 October 2023 at 12:00 UTC.

Please help us make this page as comprehensive as possible by contributing relevant references, vendor advisories and statements, mitigations, etc.


Vendor advisories and statements

Testing if HTTP/2 is enabled


echo 1 | openssl s_client -alpn h2 -connect -status 2>&1  | grep "ALPN"


nmap -p 443 --script=tls-nextprotoneg


curl -Is --http2-prior-knowledge| head -1

Testing if it's vulnerable (use at your own risk)

Potential remediation


can be configured to mitigate the vulnerability

  • Disabling HTTP/2 in NGINX is not necessary. Simply ensure you have configured:

    • keepalive_requests should be kept at the default setting of 1000 requests
    • http2_max_concurrent_streams should be kept at the default setting of 128 streams
    • limit_conn and limit_req should be set "with a reasonable setting balancing application performance and security"

If you want to remove http2 support

  • Remove reference to http2 in the listening part

DDoS protection / CDNs

Web apps that are behind the following DDoS protection providers / CDNs should not be impacted:

  • AWS
  • Cloudflare
  • Google Cloud
  • Microsoft Azure
Copy link

Copy link

adulau commented Oct 16, 2023

@crstian19 Thank you it's updated.

Copy link

Apache Tomcat apache/tomcat@9cdfe25 was backported to the released 11.1.14. However, this version had a regression. So, it is better to use 11.1.15

Copy link

Hello, besides this information is there any public datasets related to this attacks? Im currently doing research about the topic and would be very useful to check traffic generated by this kind of attack. Thank you in advance.

Copy link

shblue21 commented Jan 3, 2024

Thanks you for docs. it's lightspeed rapid reset blog.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment