This attack is notable not least because it obviates the need for an attacker to send an RST_STREAM frame, thereby completely bypassing Rapid Reset mitigations, and also achieves the same impact as the latter.

In an advisory, the CERT Coordination Center (CERT/CC) said MadeYouReset exploits a mismatch caused by stream resets between HTTP/2 specifications and the internal architectures of many real-world web servers, resulting in resource exhaustion — something an attacker can exploit to induce a DoS attack.