Rapid Reset is a Denial of Service (DOS) attack that abuses the HTTP/2 RST_STREAM frames functionality. Where HTTP/1.1 is text-based with the more familiar header/body messages, HTTP/2 uses binary multiplexed streams, where frames are sent back and forth consisting of data and flow-control frames. Furthermore, you can open multiple streams on one connection, where multiple streams have requests and responses going simultaneously, as opposed to the serialized request/response in HTTP/1.1. One of the control frames that’s supported is RST_STREAM or reset stream, which can be used to ‘cancel’ a stream and cease processing any further frames. The problem is that an attacker can just continuously bombard the server with these reset stream frames on parallel streams, as the server will be flooded with processing the reset requests. This ultimately starves the CPU, which can bring down the server’s ability to respond to further requests.