Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-44487 PoC — Apache HTTP/2 资源管理错误漏洞

Source
https://github.com/terrorist/HTTP-2-Rapid-Reset-Client
Associated Vulnerability
Title:Apache HTTP/2 资源管理错误漏洞 (CVE-2023-44487)
Description:The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Description
A tool to check how well a system can handle Rapid Reset DDoS attacks (CVE-2023-44487).
Readme
# HTTP/2 Rapid Reset Client (C#)

The HTTP/2 Rapid Reset Client, implemented in C#, is designed for testing mitigations and assessing vulnerability to the CVE-2023-44487 (Rapid Reset DDoS attack vector). This client establishes a lone TCP socket, conducts TLS negotiation while disregarding certificates, and engages in the exchange of SETTINGS frames. Subsequently, the client swiftly dispatches HEADERS frames, succeeded by RST_STREAM frames. It actively monitors server frames post-initial setup and outputs them to the console.

## Prerequisites

- [.NET SDK](https://dotnet.microsoft.com/download)

## Installation

### Clone the Repository
```
git clone https://github.com/terrorist/HTTP-2-Rapid-Reset-Client.git
```

### Installing
```
cd Http2Attack

// make sure to change the hard coded arguments before building the .exe
dotnet build -o Http2Attack
```

### Hard coded arguments

- `requests`: The count of requests to be sent (default is 5)

- `url`: The URL of the server (default is https://localhost:443)

- `wait`: The time, in milliseconds, to wait between starting workers (default is 0)

- `delay`: The delay, in milliseconds, between sending HEADERS and RST_STREAM frames (default is 0)

- `concurrency`: The maximum number of concurrent workers (default is 0)

## Built With

- [System.Net.Http](https://docs.microsoft.com/en-us/dotnet/api/system.net.http) - .NET library for sending HTTP requests and receiving HTTP responses.

## License

This project is licensed under the Apache License - see the [LICENSE](LICENSE) file for details

## Acknowledgments

This work is based on the [initial analysis of CVE-2023-44487](https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack) by Juho Snellman and  Daniele Iamartino at Google.
File Snapshot

 [4.0K]  /data/pocs/b4462d56e6c516733ad2722215e1f8a5f8f970e5
├── [4.0K]  Http2Attack
│   ├── [ 239]  Http2Attack.csproj
│   └── [4.4K]  Program.cs
├── [1.1K]  Http2Attack.sln
├── [ 11K]  LICENSE
└── [1.8K]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →