Application Security

Exploiting HTTP/2 CONTINUATION frames for DoS attacks

webmaster
webmaster
4 Min Read

Contents
About the vulnerabilityAffected versionsImpact MitigationSolutionDetecting vulnerabilities with SnykReferences

About the vulnerability

The vulnerability lies in the way HTTP/2 implementations handle CONTINUATION frames, which are used to transmit header blocks larger than the maximum frame size. Attackers exploit this weakness by sending an excessive number of CONTINUATION frames within a single HTTP/2 stream. This flood of frames overwhelms the server’s capacity to process them efficiently.

The severity of this vulnerability was highlighted by Bartek Nowotarski, who noted that it poses a more significant threat compared to previous incidents, such as the ‘HTTP/2 Rapid Reset’ attack. Furthermore, this vulnerability has been actively exploited since August 2023.

What makes this attack particularly concerning is its potential to crash web servers with just a single TCP connection or even just a handful of frames. As a result, affected servers may experience substantial performance degradation or complete unavailability.

This vulnerability affects a wide range of vendors and HTTP/2 libraries, including but not limited to Red Hat, SUSE Linux, Arista Networks, the Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language.

Affected versions

Impact 

Given the widespread use of HTTP/2 and its prevalence in internet traffic (estimated to be above 70% by Cloudflare Radar), the impact of this vulnerability is significant. It underscores the critical need for prompt patching and robust security measures to mitigate the risk of exploitation and protect web servers from devastating denial of service (DoS) and security restriction bypass attacks.

Mitigation

Update the impacted program to the most recent version, with the vulnerability patched in. If a patch is not available, consider temporarily turning off HTTP/2 on the server.

Solution

Patch and update: Ensure the most recent security updates are applied to your server software, relevant libraries, and HTTP/2 implementations. Check software suppliers’ updates frequently, and when updates are available, install them right away to fix known vulnerabilities.

Put rate limiting into practice: Set rate limits to limit the number of requests or frames that may be handled in a given amount of time. This may lessen the effects of heavy traffic or floods.

Analyze and monitor traffic: Keep an eye out for any odd patterns or spikes in incoming traffic that could point to a possible assault. Examine unprocessed HTTP traffic to detect and address malicious requests that take advantage of holes in HTTP/2 implementations.

Use web application firewalls (WAFs): Set up WAFs to filter incoming traffic and stop malicious requests from reaching your server. Set up WAF rules to identify and stop known attack patterns linked to DoS assaults on HTTP/2.

Put network-level defenses into practice: To identify and stop suspicious traffic patterns suggestive of DoS attacks aimed at HTTP/2 implementations, employ network-level defenses like intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Diversify server implementations: Work toward distributing your server implementations among other projects or providers. This can increase resistance to attacks and lessen the effect of vulnerabilities unique to a given implementation.

Detecting vulnerabilities with Snyk

  1. amphp/http (CVE-2024-2653) – Allocation of Resources Without Limits or Throttling

  2. Apache HTTP Server (CVE-2024-27316) – Uncontrolled Resource Consumption (‘Resource Exhaustion’)

  3. Apache Tomcat (CVE-2024-24549) – Improper Input Validation

  4. Apache Traffic Server (CVE-2024-31309) – Uncontrolled Resource Consumption (‘Resource Exhaustion’)

  5. Envoy proxy (CVE-2024-27919 and CVE-2024-30255) – Detection of Error Condition Without Action and Uncontrolled Resource Consumption (‘Resource Exhaustion’) 

  6. Golang (CVE-2023-45288) – Resource Exhaustion

  7. h2 Rust crate

  8. nghttp2 (CVE-2024-28182) – Resource Exhaustion

  9. Node.js (CVE-2024-27983)  – Resource Exhaustion

  10. Tempesta FW (CVE-2024-2758) – Allocation of Resources Without Limits or Throttling 

References

  1. https://nowotarski.info/

  2. https://nowotarski.info/http2-continuation-flood-technical-details/#reachable-assertion-crash-nodejs-special-case 

  3. https://datatracker.ietf.org/doc/html/rfc7540 

  4. https://www.securityweek.com/new-http-2-dos-attack-potentially-more-severe-than-record-breaking-rapid-reset/

You Might Also Like

Understanding prompt injections: a frontier security challenge

AI progress and recommendations

Introducing the Teen Safety Blueprint

From Pilot to Practice: How BBVA Is Scaling AI Across the Organization

How CRED is tapping AI to deliver premium customer experiences

Share This Article
Previous Article Top 8 Best Smart Door Locks In 2024
Next Article Are You a Victim of a Deepfake Attack? Here’s What to Do Next
Leave a comment

Stay Connected

- Advertisement -

Latest News

This Week in Scams: Fake Steaks and Debit Card Porch Pirates
network vulnerability
Gotthard Pass to close on Friday
SWITZERLAND
From Prompt Injection To Account Takeover · Embrace The Red
Pentesting
Swiss Reformed Church follows Catholics and launches sexual abuse inquiry
SWITZERLAND
Lost your password?