"CONTINUATION Flood" allows you to conduct powerful DoS attacks.
A new vulnerability in the HTTP/2 protocol can be used to conduct denial-of-service (DoS) attacks. The discovery, dubbed the "HTTP/2 CONTINUATION Flood", belongs to cybersecurity researcher Bartek Novotarski, who reported the problem to the CERT Coordination Center on January 25, 2024.
An April 3 CERT report indicates that many HTTP/2 implementations do not correctly handle a large number of CONTINUATION frames sent within a single thread.
CONTINUATION frames in HTTP/2 are used to transmit fragments of header blocks. The last frame contains the END_HEADERS flag, which indicates the end of the block. However, an attacker can initiate a new HTTP/2 stream against a vulnerable server and send HEADERS and CONTINUATION frames without the END_HEADERS flag set, creating an infinite stream of headers that the server will be forced to process and store in memory. All this can lead to an overflow of the server's memory and, as a result, its crash.
"CONTINUATION Flood" is considered a more serious threat compared to the "Rapid Reset" attack, which became known in October 2023. According to Novotarsky, a single machine, and in some cases even a single TCP connection or multiple frames, can completely disrupt the availability of the server. Notably, the requests that make up the attack are not visible in the HTTP access logs, which makes them difficult to detect.
The vulnerability affects many projects, including amphp / http, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, h2 Rust crate, nghttp2, Node.js and Tempesta FW. Developers of these projects have already published updates aimed at eliminating the vulnerability.
As a temporary solution, we recommend disabling HTTP/2 support on the server until the appropriate update is applied. This is a precautionary measure that will help you avoid potential attacks and maintain the stability of your servers.
A new vulnerability in the HTTP/2 protocol can be used to conduct denial-of-service (DoS) attacks. The discovery, dubbed the "HTTP/2 CONTINUATION Flood", belongs to cybersecurity researcher Bartek Novotarski, who reported the problem to the CERT Coordination Center on January 25, 2024.
An April 3 CERT report indicates that many HTTP/2 implementations do not correctly handle a large number of CONTINUATION frames sent within a single thread.
CONTINUATION frames in HTTP/2 are used to transmit fragments of header blocks. The last frame contains the END_HEADERS flag, which indicates the end of the block. However, an attacker can initiate a new HTTP/2 stream against a vulnerable server and send HEADERS and CONTINUATION frames without the END_HEADERS flag set, creating an infinite stream of headers that the server will be forced to process and store in memory. All this can lead to an overflow of the server's memory and, as a result, its crash.
"CONTINUATION Flood" is considered a more serious threat compared to the "Rapid Reset" attack, which became known in October 2023. According to Novotarsky, a single machine, and in some cases even a single TCP connection or multiple frames, can completely disrupt the availability of the server. Notably, the requests that make up the attack are not visible in the HTTP access logs, which makes them difficult to detect.
The vulnerability affects many projects, including amphp / http, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, h2 Rust crate, nghttp2, Node.js and Tempesta FW. Developers of these projects have already published updates aimed at eliminating the vulnerability.
As a temporary solution, we recommend disabling HTTP/2 support on the server until the appropriate update is applied. This is a precautionary measure that will help you avoid potential attacks and maintain the stability of your servers.
