The HTTP/2 protocol allows a denial of service (Service resource consumption) because request cancellation can reset many streams quickly as it has been exploited in the wild.

HTTP/2 provides an optimized transport for HTTP semantics. HTTP/2 supports all of the core features of HTTP but aims to be more efficient than HTTP/1.1

Organizations that provide HTTP/2 Services include;

• Cloudflare https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
• Google https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack
• AWS https://aws.amazon.com/security/security-bulletins/AWS-2023-011/
• NGINX https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/
• Microsoft https://msrc.microsoft.com/blog/2023/10/microsoft-response-to-distributed-denial-of-service-ddos-attacks-against-http/2/

The HTTP/2 vulnerability allows malicious actors to launch a DDOS attack targeting HTTP/2 Servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeating this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion.

• It is recommended that organizations that provide HTTP/2 services to apply patches when available and consider configuration changes.
• Customers and administrators are recommended to patch web servers/proxies as quickly as possible
• Apply security measures on the application layer
• Recommend restricting internet access to your web applications where possible