Article Details

New HTTP/2 DoS attack can crash web servers with a single connection. Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations. HTTP/2 is an update to the HTTP protocol standardized in 2015, designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple requests and responses over a single connection, and header compression to reduce overhead The new CONTINUATION Flood vulnerabilities were discovered by researcher Barket Nowotarski, who says that it relates to the use of HTTP/2 CONTINUATION frames, which are not properly limited or checked in many implementations of the protocol. HTTP/2 messages include header and trailer sections serialized into blocks. These blocks can be fragmented across multiple frames for transmission, and the CONTINUATION frames are used for stitching the stream. The omission of proper frame checks in many implementations allows threat actors to potentially send an extremely long string of frames by simply not setting the 'END_HEADERS' flag, leading to server outages due to out-of-memory crashes or CPU resource exhaustion as these frames are processed. The researcher warned that out of memory conditions could lead to server crashes using a single HTTP/2 TCP connection in some implementations. "Out of Memory are probably the most boring yet severe cases. There is nothing special about it: no strange logic, no interesting race condition and so on," Nowotarski explains. "The implementations that allow OOM simply did not limit the size of headers list built using CONTINUATION frames." "Implementations without header timeout required just a single HTTP/2 connection to crash the server." An alert from the CERT Coordination Center (CERT-CC) published today lists several CVE IDs corresponding to different HTTP/2 implementations vulnerable to these attacks. These implementations allow varying levels of denial of service attacks, including memory leaks, memory consumption, and CPU exhaustion, as described below: Severe impact So far, according to CERT-CC, vendors and HTTP/2 libraries who have confirmed they are impacted by at least one of the above CVEs are Red Hat, SUSE Linux, Arista Networks, the Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language. Nowotarski says the problem is more severe than the 'HTTP/2 Rapid Reset' attack revealed last October by major cloud service providers, which has been under active exploitation since August 2023. "Given that Cloudflare Radar estimates HTTP traffic data above 70% of all internet transfer and significance of affected projects I believe that we can assume that large part of internet was affected by an easy-to-exploit vulnerability: in many cases just a single TCP connection was enough to crash the server, " warned Nowotarski. Also, the researcher warns that the problem would be complex for server administrators to debug and mitigate without proper HTTP/2 knowledge. That's because the malicious requests wouldn't be visible in the access logs if advanced frame analytics isn't enabled on the server, which in most cases isn't. As threat actors commonly monitor for newly discovered DDoS techniques to use in their stresser services and attacks, it is critical to upgrade impacted servers and libraries before the vulnerabilities are actively exploited.