HTTP/2 Rapid Reset is a Layer 7 (application) attack vector, one of the classes a thorough DDoS test is built to exercise. Tracked as CVE-2023-44487, it abuses HTTP/2 stream multiplexing: the attacker opens a request stream and immediately cancels it with a RST_STREAM frame, then repeats at high speed over a single connection. The server does the work of setting up and tearing down each stream while the client pays almost nothing, so a small number of connections generates enormous request churn that drives record-setting request-per-second floods.
Why it matters in DDoS testing
Rapid Reset showed that a protocol feature, not a volumetric pipe, can be the attack surface, and that patched servers still need tuned stream and reset limits. Because the vector targets the application tier, exercising it safely against real services without causing an outage is the discipline covered in running a DDoS test without disrupting production.