Share
## https://sploitus.com/exploit?id=8132DEBA-6222-5A32-84DE-B97EF48D0F99
# cve-2023-44487 - http/2 rapid reset attack

by 7pirqte

## what is this

poc for the http/2 rapid reset attack. basically you open a stream with HEADERS frame then immediatly send RST_STREAM to cancel it. server does all the work setting up and tearing down streams while you just spam requests. the cancelled streams dont count toward the max streams limit so you can basically send unlimited resets.

this was used in some massive ddos attacks in 2023

## install

```bash
pip install -r requirements.txt
```

## usage

```bash
# single target
python main.py -u https://target.com

# from file
python main.py -f urls.txt

# 10 connections for 30 secs
python main.py -u https://target.com -c 10 -d 30
```

## options

- `-u` - target url
- `-f` - file with urls (one per line)
- `-c` - connections per target (default 1)
- `-d` - duration in seconds (default 10)
- `--delay` - delay between resets

## disclaimer

only use this on systems you own or have permission to test. dont be stupid, unauthorized testing is illegal and unethical, use responsibly and adhere to all applicable laws and regulations