I was surprised too, but if you look at the timelines then RST_STREAM seems to h... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		gnfargbl on Oct 10, 2023 \| parent \| context \| favorite \| on: The novel HTTP/2 'Rapid Reset' DDoS attack I was surprised too, but if you look at the timelines then RST_STREAM seems to have been present in early versions of SPDY, and SPDY seems mostly to have been designed around 2009. Attacks like Slowloris were coming out at about the same time, but they weren't well-known. On the other hand, SYN cookies were introduced in 1996, so there's definitely some historic precedent for attacks in the (victim pays Y, attacker pays X, X<<Y) class.

c0l0 on Oct 10, 2023 [–]

If you are working on the successor protocol of HTTP/1.1, and are not aware of Slowloris the moment it hits and every serious httpd implementation out there gets patched to mitigate it, I'd argue you are in the wrong line of work.

junon on Oct 10, 2023 | [–]

While I agree in principle, slow loris is a very different attack than this one.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact