Massive DDoS Assaults Alarm Tech Titans at Unprecedented Levels

Massive DDoS Assaults Alarm Tech Titans at Unprecedented Levels

The latest development in the CVE-2023-44487, also known as the "Rapid Reset" HTTP/2 zero-day vulnerability, has taken a concerning turn. This evolution, named "MadeYouReset" (CVE-2025-8671), was disclosed in August 2025, and it presents a more severe threat to numerous major vendors and widely used HTTP/2 stacks.

Originally, the Rapid Reset vulnerability allowed attackers to rapidly cancel requests, bypassing concurrency limits. The new variant, MadeYouReset, extends this capability by triggering resets due to protocol flow errors, such as invalid WINDOW_UPDATE or PRIORITY frames, illegal frame lengths, or sending frames after stream closure—without the server receiving direct reset commands.

This flaw affects a wide range of vendors including Apache Tomcat, Netty, F5 BIG-IP, Cisco, Google, IBM, Microsoft, and others. The impact can range from complete server denial-of-service to out-of-memory crashes due to resource exhaustion, exploiting mismatches between HTTP/2 specifications and implementations.

To mitigate this threat, organisations are advised to limit the number and rate of RST_STREAM frames sent from the server, rate-limit or control the number of problematic control frames from clients, treat protocol flow errors strictly as connection errors to close potentially abusive connections early, apply vendor-issued patches and updates as they become available, and coordinate disclosure and mitigation efforts across vendors and users.

Despite several major projects such as GitHub, Apache HTTP Server, Apache Traffic Server, and Aruba Networks reporting not being affected by this latest CVE-2025-8671 vulnerability, many others remain vulnerable and under advisory investigation.

In summary, organisations should prioritise updating HTTP/2-related software from affected vendors once patches are released, implement rate limiting on HTTP/2 control frames and RST_STREAM messages at the server, monitor and log unusual HTTP/2 control frame activities indicative of attacks, and stay informed from vendor security advisories and CERT updates regarding this vulnerability and mitigation stages.

This vulnerability series highlights the challenges of defending against subtle, specification-compliant protocol abuse techniques that can cause large-scale resource exhaustion and disruption. As David Holmes, a principal analyst at Forrester, states, the HTTP/2 Rapid Reset is an optimization of an older attack method called asymmetric query attacks. The new rapid reset attack might allow the attacker to request a PDF a thousand times a second instead of a hundred, but the impact on the web server remains significant.

Cloudflare CSO Grant Bourzikas warns that this zero-day has given threat actors a new tool to attack at a magnitude never seen before. Forrester's David Holmes suggests that the new rapid reset attack is a more efficient version of an existing attack method rather than a fundamentally new threat. The attacks continued through September, according to AWS, with an unusual spike in requests observed at 155 million requests per second on Aug. 28-29.

The vulnerability has a high severity CVSS score of 7.5, according to Google. Malicious clients can make very expensive requests using relatively little compute power or packet space due to the client/server nature of HTTP and most of the web. The DDoS attacks using this vulnerability reached a record-breaking scale, with AWS detecting an attack involving roughly 20,000 machines.

In conclusion, this zero-day vulnerability provides threat actors with a critical new tool for attacking websites, causing a scale of requests that overwhelms the site. Organisations must remain vigilant and follow the advised mitigation strategies to protect their systems.

1. The evolving threat of MadeYouReset (CVE-2025-8671), a more severe variant of the Rapid Reset vulnerability, accentuates the importance of implementing cybersecurity measures to protect against data-and-cloud-computing systems, particularly in the context of protocols like HTTP/2, as technology advances and attackers discover new ways to exploit vulnerabilities.
2. In light of the impact and persistence of the MadeYouReset vulnerability, it's crucial for organizations to prioritize updating their HTTP/2-related software from affected vendors, follow mitigation strategies such as rate limiting on control frames and RST_STREAM messages, and stay informed about the latest cybersecurity advisories, as the misuse of compliant but abusive techniques can lead to large-scale resource exhaustion and system disruption.

Read also: