HTTP/2 Rapid Reset

Cloudflare protects customers against new record-breaking DDoS attack

HTTP/2 Rapid Reset is a flaw in the HTTP/2 protocol that can be exploited to carry out DDoS attacks.

Because 62% of the Internet traffic we see uses HTTP/2, this is a high severity vulnerability. It has been exploited to create the largest DDoS attack we have ever seen.

If you are using any of these Cloudflare products, you are already protected: CDN, SSL/TLS encryption, HTTP DDoS, WAF, Bot Management, Rate Limiting, API Gateway, or Page Shield.

If you're not using one of these products, Cloudflare can protect you today.

Get protected against HTTP/2 Rapid Reset

Resources for HTTP/2 Rapid Reset


Solutions Engineer, Michiel Appelman explains record-breaking DDoS attack and how we stopped it

Watch video
Cloudflare TV Icon

Learn the latest news on the DDoS attack campaign from Cloudflare CSO, Grant Bourzikas, and Cloudflare Field CTO, John Engates

Watch webinar

Read our press release on the HTTP/2 Rapid Reset attack campaign and Cloudflare’s response

Read press release

How Cloudflare helped discover and mitigate the largest DDoS attack we’ve seen

Read blog

Our experts break down how HTTP/2 Rapid Reset played out and what you can do about it

Read blog

Tune in to a discussion with our technical experts covering the specifics of HTTP/2 Rapid Reset and how you can defend against it

Watch webinar

Who is protected against HTTP/2 Rapid Reset?

Organizations proxying their HTTP traffic through Cloudflare are automatically protected. The vast majority of organizations using Cloudflare fall into this category.

You are protected if you have deployed any of these Cloudflare services:

  • CDN or SSL/TLS encryption
  • WAF
  • Bot Management
  • Rate Limiting or Advanced Rate Limiting
  • API Gateway
  • Page Shield

If you have HTTP assets or applications that are not behind one of these products, contact Cloudflare or your DDoS protection vendor to learn more.

Under attack or need additional protection?

We’re here to help. Our HTTP/2 Rapid Reset Defense packages protect your organization against HTTP/2 attacks as well as other risks. Priority onboarding available.

How Cloudflare protected customers from this attack

Helped discover HTTP/2 flaw

With industry peers, Cloudflare helped discover the underlying flaw in late August, 2023. We worked with governments and industry groups to responsibly disclose the vulnerability and attack campaign.

Real time mitigation

Cloudflare DDoS Protection helps every organization with applications behind Cloudflare, including free customers. Less than 0.0001% of requests served during the attack campaign resulted in errors.

Patched HTTP/2 at our edge

Cloudflare patched our implementation of HTTP/2 to reduce the impact of the exploit on our customers’ applications.

Global leaders, including 30% of the Fortune 1000, rely on Cloudflare