HTTP/2 Flaw Opens Door to DoS Attacks

A new vulnerability in the HTTP/2 protocol could be exploited to execute Denial of Service (DoS) attacks. This discovery, dubbed “HTTP/2 CONTINUATION Flood,” was made by cybersecurity researcher Bartek Nowotarski, who reported the issue to the CERT Coordination Center on January 25, 2024.

The CERT report from April 3 states that many HTTP/2 implementations incorrectly handle a large number of CONTINUATION frames within a single stream.

CONTINUATION frames in HTTP/2 are used to transmit fragments of header blocks. The final frame contains the END_HEADERS flag, signaling the end of the block. However, an attacker can initiate a new HTTP/2 stream against a vulnerable server and send HEADERS and CONTINUATION frames without the END_HEADERS flag set, creating an endless stream of headers that the server is forced to process and store in memory. This can lead to server memory overflow and, consequently, its crash.

The “CONTINUATION Flood” is considered a more severe threat compared to the “Rapid Reset” attack disclosed in October 2023. According to Novotarski, a single machine, and in some cases, even a single TCP connection or a few frames, can completely disrupt server availability. Notably, the requests comprising the attack are not visible in HTTP access logs, making detection difficult.

The vulnerability affects numerous projects, including amphp/http, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, h2 Rust crate, nghttp2, Node.js, and Tempesta FW. The developers of these projects have already published updates to address the vulnerability.

As a temporary measure, it is recommended to disable HTTP/2 support on the server until the appropriate update is applied. This precaution will help avoid potential attacks and maintain server stability.