Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

New HTTP/2 DoS Attack Potentially More Severe Than Record-Breaking Rapid Reset

New HTTP/2 DoS method named Continuation Flood can pose a greater risk than Rapid Reset, which has been used for record-breaking attacks.

HTTP/2 Continuation Flood DoS

A researcher has disclosed a new denial-of-service (DoS) attack method that he claims could pose a severe threat, greater even than Rapid Reset, the vulnerability exploited last year to launch the largest DDoS attacks in internet history.

The new DoS attack method, named HTTP/2 Continuation Flood, was discovered by Bartek Nowotarski, who publicly disclosed its technical details on Wednesday. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University, which helped coordinate disclosure with impacted companies and open source projects, has also published an advisory. 

HTTP/2 Continuation Flood has been described as a class of vulnerabilities affecting many HTTP/2 protocol implementations. It’s caused by the incorrect handling of HEADERS and multiple CONTINUATION frames, and involves sending a stream of CONTINUATION frames without the END_HEADERS flag to properly close the request.

“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream. An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash,” CERT/CC explained.

According to Nowotarski, “The outcome depends on the implementation but ranges from instant crash after sending a couple of HTTP/2 frames, out of memory crash, to CPU exhaustion affecting server availability.”

The researcher compared HTTP/2 Continuation Flood to Rapid Reset, an HTTP/2 flaw that came to light in October 2023, when tech giants such as Google, Cloudflare and AWS said the vulnerability tracked as CVE-2023-44487 had been leveraged to launch the largest DDoS attacks they had ever seen. 

Rapid Reset abuses an HTTP/2 feature called ‘stream cancellation’ and involves repeatedly sending a request and immediately canceling it. It enables even smaller botnets — Cloudflare customers were targeted by a 20,000 device botnet — to cause significant disruption.

Nowotarski said the Continuation Flood attack could in many cases pose an even bigger threat than Rapid Reset because a single machine has the potential to cause disruption to websites and APIs that use HTTP/2. 

Advertisement. Scroll to continue reading.

Moreover, there are no requests visible in HTTP access logs, which makes detection more difficult.

“Had it been exploited in the wild, this would have been very hard to debug without proper HTTP/2 knowledge by the server administrators,” the researcher noted. “This is due to the fact that none of malicious HTTP requests connected to this vulnerability is properly closed. The requests would not be visible in the server access logs and due to lack of advanced frame analytics in most of HTTP/2 servers this would have to be handled by manual, tedious raw connection data analysis.”

Based on Cloudflare data, HTTP/2 traffic accounts for more than 60% of real users’ HTTP traffic. As such, the researcher said, “we can assume that a large part of the internet was affected by an easy-to-exploit vulnerability”. 

Individual CVE identifiers have been assigned to various implementations impacted by HTTP/2 Continuation Flood, including AMPHP (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), Node.js (CVE-2024-27983), Nghttp2 (CVE-2024-28182), and Tempesta FW (CVE-2024-2758). Patches and mitigations are being rolled out for several of the impacted implementations. 

CERT/CC’s advisory also lists Red Hat, Suse Linux and Arista Networks as being affected. Arista has published an advisory detailing the impact on its products.

The CERT/CC advisory also lists several companies that have confirmed not being impacted, as well as dozens of vendors that have yet to confirm or deny being affected. 

The responsible disclosure process for HTTP/2 Continuation Flood started in early January 2024. 

Related: Organizations Respond to HTTP/2 Zero-Day Exploited for DDoS Attacks

Related: 300,000 Systems Vulnerable to New Loop DoS Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet