Security researcher Bartek Nowotarski disclosed a new class of vulnerabilities within the HTTP/2 protocol, known as the HTTP/2 CONTINUATION Flood.
This attack vector is proving to be a significant threat, potentially more dangerous than the previously known Rapid Reset attack.
The HTTP/2 CONTINUATION Flood allows a single machine, and in some cases, just a single TCP connection or a few frames, to cause significant disruptions to server operations, leading to crashes or severe performance degradation.
The Mechanics of the Attack
The HTTP/2 protocol allows multiple concurrent requests and responses between clients and servers. However, it is now being scrutinized due to a newfound vulnerability.
The attack exploits the CONTINUATION frames, a feature of HTTP/2 that enables the sending of a large header block in a series of frames.
An attacker initiates a new HTTP/2 stream and sends HEADERS and CONTINUATION frames without ever setting the END_HEADERS flag. This results in an infinite stream of headers that the server is compelled to parse and store, consuming memory resources indefinitely.
Unlike HTTP/1.1, where servers have mechanisms to protect against infinite headers, HTTP/2 servers are left vulnerable because the attack does not trigger the usual defenses.
One of the most concerning aspects of the CONTINUATION Flood is its stealthiness. Since the attack does not complete a request (no END_HEADERS flag is set), it leaves no trace in HTTP access logs.
This means that server administrators are blind to the attack, receiving no alerts from the usual influx of inbound server requests that would typically signify an ongoing attack, Nowotarksi said.
Implications and Concerns
The simplicity and low resource requirement of the CONTINUATION Flood attack makes it particularly alarming.
In some instances, researchers have found that a minimal amount of data sent through a single TCP connection is sufficient to crash a server.
This raises significant concerns about the security of websites and online services that rely on HTTP/2, as attackers can potentially disrupt services with minimal effort and go undetected.
The discovery of the CONTINUATION Flood vulnerability has prompted a call to action within the cybersecurity community.
Server administrators and software developers are urged to review their HTTP/2 implementations and apply necessary patches or updates to mitigate this vulnerability.
Additionally, there is a need for enhanced monitoring tools that can detect such stealthy attacks and alert administrators in real-time.
The HTTP/2 CONTINUATION Flood attack serves as a reminder of the constant vigilance required to protect our online infrastructure and the importance of staying ahead of emerging cybersecurity threats.
Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide