A researcher has disclosed a new denial-of-service (DoS) attack method that he claims could pose a severe threat, greater even than Rapid Reset, the vulnerability exploited last year to launch the largest DDoS attacks in internet history.
The new DoS attack method, named HTTP/2 Continuation Flood, was discovered by Bartek Nowotarski, who publicly disclosed its technical details on Wednesday. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University, which helped coordinate disclosure with impacted companies and open source projects, has also published an advisory.
HTTP/2 Continuation Flood has been described as a class of vulnerabilities affecting many HTTP/2 protocol implementations. It’s caused by the incorrect handling of HEADERS and multiple CONTINUATION frames, and involves sending a stream of CONTINUATION frames without the END_HEADERS flag to properly close the request.
“Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream. An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash,” CERT/CC explained.
According to Nowotarski, “The outcome depends on the implementation but ranges from instant crash after sending a couple of HTTP/2 frames, out of memory crash, to CPU exhaustion affecting server availability.”
The researcher compared HTTP/2 Continuation Flood to Rapid Reset, an HTTP/2 flaw that came to light in October 2023, when tech giants such as Google, Cloudflare and AWS said the vulnerability tracked as CVE-2023-44487 had been leveraged to launch the largest DDoS attacks they had ever seen.
Rapid Reset abuses an HTTP/2 feature called ‘stream cancellation’ and involves repeatedly sending a request and immediately canceling it. It enables even smaller botnets — Cloudflare customers were targeted by a 20,000 device botnet — to cause significant disruption.
Nowotarski said the Continuation Flood attack could in many cases pose an even bigger threat than Rapid Reset because a single machine has the potential to cause disruption to websites and APIs that use HTTP/2.
Moreover, there are no requests visible in HTTP access logs, which makes detection more difficult.
“Had it been exploited in the wild, this would have been very hard to debug without proper HTTP/2 knowledge by the server administrators,” the researcher noted. “This is due to the fact that none of malicious HTTP requests connected to this vulnerability is properly closed. The requests would not be visible in the server access logs and due to lack of advanced frame analytics in most of HTTP/2 servers this would have to be handled by manual, tedious raw connection data analysis.”
Based on Cloudflare data, HTTP/2 traffic accounts for more than 60% of real users’ HTTP traffic. As such, the researcher said, “we can assume that a large part of the internet was affected by an easy-to-exploit vulnerability”.
Individual CVE identifiers have been assigned to various implementations impacted by HTTP/2 Continuation Flood, including AMPHP (CVE-2024-2653), Apache HTTP Server (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy (CVE-2024-27919 and CVE-2024-30255), Golang (CVE-2023-45288), Node.js (CVE-2024-27983), Nghttp2 (CVE-2024-28182), and Tempesta FW (CVE-2024-2758). Patches and mitigations are being rolled out for several of the impacted implementations.
CERT/CC’s advisory also lists Red Hat, Suse Linux and Arista Networks as being affected. Arista has published an advisory detailing the impact on its products.
The CERT/CC advisory also lists several companies that have confirmed not being impacted, as well as dozens of vendors that have yet to confirm or deny being affected.
The responsible disclosure process for HTTP/2 Continuation Flood started in early January 2024.
Related: Organizations Respond to HTTP/2 Zero-Day Exploited for DDoS Attacks
