Record-Breaking DDoS Attacks

Hi Everone,

Cloudflare just published a press release to alert the world of a Zero Day vulnerability we’re calling HTTP/2 Rapid Reset.

For customers using Cloudflare to proxy their HTTP (Layer 7) traffic, domains behind Cloudflare are protected. We have automatically blocked the majority of attacks at our edge, created new detection heuristics, and are using machine learning models to drive new rule creation deployed globally within seconds. Nonetheless, we strongly encourage you to look into these best practices to optimize your security posture even further.

If you have HTTP sites and resources that do NOT proxy HTTP traffic through Cloudflare, those sites and resources are not protected by Cloudflare. We encourage you to assess your web assets and protect them by onboarding the domains to Cloudflare, or if you use another vendor, check with them to verify coverage against this vulnerability.

We’ve published a comprehensive resource hub for more details: HTTP/2 Rapid Reset Attack Protection.

If you have any additional questions about the recent HTTP/2 Rapid Reset vulnerability, please refer to the following sources for information.


Thanks @Zein.

Can you clarify this though please? What exactly isn’t protected if I’m using Workers/Pages? All subrequests should be proxied, no? is on Pages. I’d expect this to not be vulnerable. But it is? This feels like it should be covered between eyeball → cf, which all devplat should be hitting as far as I’m aware? :thinking:



I apologize for any misunderstanding in my previous post. I have revised the post to enhance its clarity. In response to your inquiry, most Dev Platform functions are behind Cloudflare proxy that protects them.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.