The new technique described avoids the maximum limit on number of requests per s... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

bribroder on Oct 10, 2023 | parent | context | favorite | on: The novel HTTP/2 'Rapid Reset' DDoS attack

The new technique described avoids the maximum limit on number of requests per second (per client) the attacker can get the server to process. By sending both requests and stream resets within the same single connection, the attacker can send more requests per connection/client than used to be possible, so it is perhaps cheaper as an attack and/or more difficult to stop

arisudesu on Oct 10, 2023 [–]

Is is a fundamental HTTP/2 protocol issue or implementations issue? Could this be an issue at all, if a server has strict limits of requests per IP address, regardless of number of connections?

lazide on Oct 10, 2023 | [–]

Implementation issue. Some implementations are immune.

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact