HTTP/2, despite being a decade-old standard, continues to be a target for innovative DDoS attacks. The latest discovered vector, MadeYouReset (CVE-2025-8671), exploits implementation flaws in HTTP/2 stream handling, reminiscent of the Rapid Reset attacks that made headlines in 2023.
How MadeYouReset Works
At the core of MadeYouReset is a mismatch between HTTP/2 stream accounting and backend request processing.
- HTTP/2 streams can be cancelled by either client or server. Most implementations, however, continue to process the request after a stream reset.
- An attacker repeatedly opens new streams and triggers server-initiated resets using malformed frames or flow-control errors.
- The server considers the streams closed, freeing them from the concurrent streams limit (SETTINGS_MAX_CONCURRENT_STREAMS), but continues backend processing.
- This allows a single connection to spawn unbounded concurrent requests, overloading CPU and memory resources without increasing observable HTTP/2 stream count.
The attack uses invalid frames such as:
- WINDOW_UPDATE frames with prohibited increments
- HEADERS, DATA, or CONTINUATION frames on half-closed streams
- Incorrect PRIORITY frames
Unlike Rapid Reset, the attacker doesn’t directly send RST_STREAM frames, making detection more difficult.
Affected implementations include Apache Tomcat, F5, Fastly, Varnish, gRPC, Mozilla, Netty, and more. Some patches have already been released, but many projects are still evaluating the impact.
Why This Happens: Implementation vs Standard
The MadeYouReset attack highlights a key challenge in HTTP/2 development:
- RFC 9113 mandates stream errors for certain invalid frames, but allows discretion for others.
- Implementations aiming for RFC compliance may inadvertently leave themselves exposed.
- Even a mature protocol like HTTP/2 can have latent vulnerabilities after ten years, especially under high-concurrency scenarios.
This demonstrates the difficulty of balancing standards compliance, performance, and security in real-world deployments.
Mitigation Strategies
Mitigating MadeYouReset requires a multi-layered approach:
1. HTTP Request Rate Limiting
Most reverse proxies (Tempesta FW, Nginx, HAProxy) provide request rate-limiting to throttle clients. While effective against excessive concurrent requests, it may block legitimate clients if thresholds are too aggressive.
2. Control Frame Rate Limiting
HTTP/2 control frames (PING, SETTINGS, PRIORITY, RST_STREAM) must be rate-limited to prevent resource exhaustion:
- PING: 100/sec
- SETTINGS & RST_STREAM: 5/sec
- PRIORITY: 30/sec
Sliding-window counters and per-client monitoring allow fine-tuning. Tempesta FW, for example, exports /proc/tempesta/perfstat counters for this purpose.
3. Fine-Tuning Limits
Rate limits can be scaled using multipliers (ctrl_frame_rate_multiplier) to adapt to real-world client behavior without significantly impacting user experience.
4. Patch and Monitor
Ensure all affected services are patched. Track abnormal increases in RST/PRIORITY frame counts or backend request queues, as these can indicate attempted exploitation.
The Bigger Picture
MadeYouReset is a reminder that even well-established protocols evolve vulnerabilities over time. As organizations move toward HTTP/3 and QUIC, network engineers should anticipate similar attacks on newer protocols, particularly under high-concurrency or multiplexing scenarios.
HTTP/2 attacks like Rapid Reset, CONTINUATION frame floods, and now MadeYouReset underline the importance of visibility, observability, and proactive rate-limiting in modern DDoS defense.
About FastNetMon
FastNetMon is a leading solution for network security, offering advanced DDoS detection and mitigation. With real-time analytics and rapid response capabilities, FastNetMon helps organisations protect their infrastructure from evolving cyber threats.For more information, visit https://fastnetmon.com