How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack

HTTP/2-based DDoS attacks have surged, surpassing previous Layer 7 attacks. Google's global load balancing infrastructure effectively mitigated these attacks at the network edge, preventing outages. The attacks exploit HTTP/2 features like stream multiplexing and Rapid Reset to achieve high request rates. HTTP/2's Rapid Reset attack relies on clients canceling requests immediately after sending them, allowing for an indefinite number of in-flight requests and creating a cost asymmetry between server and client. Attack variants include delayed cancellation and exceeding stream limits. Mitigations involve closing connections when abuse is detected using GOAWAY frames and tracking connection statistics. HTTP/2 servers should close connections exceeding stream limits to mitigate non-cancelling variants. These attack methods are unlikely to translate directly to HTTP/3 due to protocol differences. Google coordinated with industry partners to address the HTTP/2 vulnerability through a coordinated disclosure process.