[ynik]

I wonder why exactly this attack can't be pulled off with HTTP/1.1 and TCP RST for cancellation. It seems that (even with SYN cookies involved) an attacker could create new connections, send HTTP request, then quickly after send a RST.

Is it just that the kernel doesn't really communicate TCP RST all that well to the application, so the HTTP server continues to count the connection against the "open connection limit" even though it isn't open anymore?

[immibis]

The server kernel won't communicate the new connection to the application until you go through SYN-SYNACK-ACK.

[wbl]

The problem for the attacker is they then run into resource limits on the TCP connections. The resets are essential to get the consumption not counting.