A zero-day vulnerability named “HTTP/2 Rapid Reset” was used by users to initiate larger distributed attacks denial-of-service (DDoS from distributed denial-of-service) in the history of the Internet.
One of the attacks recorded by Cloudflare it was three times larger than the record-breaking 71 million requests per second (RPS) attack reported by the company in February.
Specifically, the HTTP/2 Rapid Reset DDoS attack peaked at 201 millions RPS, while the Google observed a DDoS attack that peaked at 398 million RPS.
The new attack method uses a feature of HTTP/2 called 'stream cancellation', repeatedly sending a request and canceling it immediately.