The HTTP/2 Rapid Reset Client, implemented in C#, is designed for testing mitigations and assessing vulnerability to the CVE-2023-44487 (Rapid Reset DDoS attack vector). This client establishes a lone TCP socket, conducts TLS negotiation while disregarding certificates, and engages in the exchange of SETTINGS frames. Subsequently, the client swiftly dispatches HEADERS frames, succeeded by RST_STREAM frames. It actively monitors server frames post-initial setup and outputs them to the console.
git clone https://github.com/terrorist/HTTP-2-Rapid-Reset-Client.git
cd Http2Attack
// make sure to change the hard coded arguments before building the .exe
dotnet build -o Http2Attack
-
requests
: The count of requests to be sent (default is 5) -
url
: The URL of the server (default is https://localhost:443) -
wait
: The time, in milliseconds, to wait between starting workers (default is 0) -
delay
: The delay, in milliseconds, between sending HEADERS and RST_STREAM frames (default is 0) -
concurrency
: The maximum number of concurrent workers (default is 0)
- System.Net.Http - .NET library for sending HTTP requests and receiving HTTP responses.
This project is licensed under the Apache License - see the LICENSE file for details
This work is based on the initial analysis of CVE-2023-44487 by Juho Snellman and Daniele Iamartino at Google.