Home » Blog » MadeYouReset: HTTP/2 Vulnerability Mitigated by Rapid Reset Defenses

Information

MadeYouReset: HTTP/2 Vulnerability Mitigated by Rapid Reset Defenses

Benhcmark Administrator

16/08/2025

0 Views 0

SaveSavedRemoved 0

Understanding the MadeYouReset Vulnerability: A New Threat to HTTP/2 Servers

The landscape of web security is constantly evolving, with new threats emerging that test the resilience of our digital infrastructure. A newly identified vulnerability, dubbed MadeYouReset, is targeting the HTTP/2 protocol, creating a significant risk of Denial of Service (DoS) for web servers worldwide. While its mechanism is novel, the good news is that defenses developed for previous threats appear to be effective in mitigating this one as well.

This article breaks down what the MadeYouReset vulnerability is, how it works, and the critical steps you can take to protect your systems.

What is the MadeYouReset Vulnerability?

MadeYouReset is a Denial of Service vulnerability that exploits a specific sequence of events within the HTTP/2 protocol. Unlike some brute-force attacks that rely on overwhelming bandwidth, this is a more subtle, resource-exhaustion attack. By cleverly manipulating the connection setup and teardown process, an attacker can force a server to expend a disproportionate amount of CPU and memory, ultimately leading to a crash or an inability to serve legitimate users.

The attack targets the fundamental way HTTP/2 manages connections and streams. Its primary impact is severe resource exhaustion, which can take a server offline with a relatively small amount of malicious traffic.

How the Attack Works

The MadeYouReset attack leverages a logical flaw in the handling of HTTP/2 connection states. An attacker can execute the exploit by following a simple but effective pattern:

1. Establish a Connection: The attacker’s client establishes a standard HTTP/2 connection with the target server.
2. Send a SETTINGS Frame: Immediately after connecting, the client sends a SETTINGS frame that requests the server to limit the number of concurrent streams to a very low number (e.g., MAX_CONCURRENT_STREAMS = 1).
3. Force a Teardown: The client then sends a GOAWAY frame, signaling its intent to close the connection.
4. Repeat Rapidly: The client immediately opens a new connection and repeats this cycle over and over.

This rapid sequence of opening, configuring, and closing connections creates what is known as high connection churn. Each new connection requires the server to perform resource-intensive tasks, including TCP handshakes, TLS negotiations, and setting up the HTTP/2 session state. Because the attacker forces a teardown before any actual data is exchanged, the server does all the setup work for zero benefit, rapidly depleting its processing power.

The Link to the “Rapid Reset” Attack

If this sounds familiar, it’s because the outcome is similar to the well-known HTTP/2 Rapid Reset vulnerability (CVE-2023-44487). However, the mechanism is different. Rapid Reset involved abusing the RST_STREAM frame to cancel thousands of streams within a single connection. MadeYouReset, on the other hand, focuses on forcing the entire connection to be reset repeatedly.

The crucial takeaway is that the impact—server resource exhaustion—is the same. As a result, many of the mitigation strategies developed to defend against Rapid Reset are also highly effective against MadeYouReset. Security providers and infrastructure engineers who have already hardened their systems against Rapid Reset are in a strong position to withstand this new attack vector.

The Impact on Your Services

Failing to protect against MadeYouReset can have serious consequences for your online services:

• Denial of Service: The most direct impact is a complete service outage, preventing legitimate users from accessing your website or application.
• Performance Degradation: Even if the server doesn’t crash entirely, its performance can degrade significantly, leading to slow load times and a poor user experience.
• Increased Operational Costs: For services hosted in the cloud, a resource-exhaustion attack can trigger auto-scaling mechanisms, leading to a sharp and unexpected increase in infrastructure costs.

Actionable Steps to Mitigate MadeYouReset

Protecting your infrastructure requires a proactive, layered security approach. Here are the most effective steps you can take to defend against MadeYouReset and similar connection-based DoS attacks.

1. Monitor Connection Rates: The core indicator of this attack is an abnormally high rate of new connections from a single IP address or a set of addresses. Implement monitoring and alerting to detect unusual spikes in connection churn.

2. Implement Strict Rate Limiting: Configure your load balancers, web servers, or security appliances to rate-limit new connections per IP address. This is one of the most effective direct countermeasures, as it prevents an attacker from rapidly cycling through new connections.

3. Leverage Modern DDoS Protection Services: Leading cloud providers and security companies offer sophisticated DDoS mitigation services that are designed to detect and block anomalous traffic patterns at the network edge.

   • Cloud Providers: Services like AWS Shield, Google Cloud Armor, and Azure DDoS Protection have built-in defenses against protocol-level attacks.
   • CDN and WAF Providers: Companies like Cloudflare, Akamai, and Fastly specialize in identifying and absorbing these attacks before they ever reach your origin server.

4. Keep All Software Updated: Ensure your web server software (e.g., Nginx, Apache, Caddy), load balancers, and operating systems are patched and running the latest stable versions. Developers often release security updates that harden their software against new and emerging threats.

5. Fine-Tune Server Configurations: Review your server’s HTTP/2 configuration settings. While not a complete solution, you can sometimes adjust timeouts and resource limits to make your server more resilient to abusive connection patterns.

Final Thoughts

The MadeYouReset vulnerability serves as another critical reminder that even well-established protocols like HTTP/2 can harbor subtle flaws. While the threat is serious, it is not insurmountable. By understanding its mechanism and implementing robust, layered security controls—many of which you should already have in place to defend against Rapid Reset—you can effectively protect your services. Proactive monitoring, intelligent rate limiting, and leveraging edge security services remain the cornerstones of a resilient web infrastructure.

Source: https://blog.cloudflare.com/madeyoureset-an-http-2-vulnerability-thwarted-by-rapid-reset-mitigations/