The new DDoS attack vector, which involves HTTP/2 implementation flaws, has been compared to Rapid Reset.
August 14, 2025 By Eduard Kovacs
Researchers have discovered another attack vector that can be exploited to launch massive distributed denial-of-service (DDoS) attacks.
The attack, dubbed MadeYouReset, is similar to Rapid Reset, which in 2023 was exploited in zero-day attacks that broke DDoS records in terms of requests per second (RPS).
MadeYouReset, discovered by researchers at security firm Imperva and Tel Aviv University in Israel, leverages a design flaw in HTTP2 implementations.
“HTTP/2 introduced stream cancellation – the ability of both client and server to immediately close a stream at any time. However, after a stream is canceled, many implementations keep processing the request, compute the response, but don’t send it back to the client,” the CERT/CC at Carnegie Mellon University explained in an advisory. “This creates a mismatch between the amount of active streams from the HTTP/2 point of view, and the actual active HTTP requests the backend server is processing.”