New HTTP/2 DOS Attack More Intense Than The Record-Breaking Rapid Reset
Urfa Sarmad
A researcher called Bartek Nowotarski revealed a new Denial of Service (DoS) method called the “HTTP/2 Continuation Flood,” which is deemed to be a more serious threat than the Rapid Reset, which was a vulnerability that was exploited in 2023 to launch the biggest Distributed DoS (DDoS) attacks. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University (CMU) also helped coordinate the disclosure with the affected companies and open-source projects.
HTTP/2 Continuation Flood is a vulnerability affecting many HTTP/2 protocol implementations. It happens by incorrectly handling the HEADERS and various CONTINUATION frames, including sending a stream of CONTINUATION frames without the END_HEADERS flag to close the request correctly.
The researcher Nowotarski compared the HTTP/2 Continuation Flood to Rapid Reset. This HTTP/2 flaw came into acknowledgment in October 2023, when the biggest tech companies like Google, AWS, and Cloudflare said that the vulnerability tracked as CVE-2023-44487 is being used to implement the largest DDoS Attacks they’ve ever witnessed.
Rapid Reset exploits an HTTP/2 feature called ‘stream cancellation,’ which includes repeatedly sending a request and immediately canceling it. It allows even smaller botnets to cause significant destruction. Nowotarski stated that the Continuation Flood Attack could pose an even more significant threat in some specific situations than the Rapid Reset because a single machine has the potential to cause harm to websites and APIs using HTTP/2.
Additionally, no requests are visible in the HTTPS access logs, making the detection even more challenging.
“Had it been exploited in the wild, this would have been very hard to debug without proper HTTP/2 knowledge by the server administrators,” Nowotarski noted.
“This is because none of the malicious HTTP requests connected to this vulnerability are properly closed. The requests would not be visible in the server access logs, and due to lack of advanced frame analytics in most HTTP/2 servers, this would have to be handled by manual, tedious raw connection data analysis.”
According to Cloudflare’s data, HTTP/2 traffic accounts for 60% of real user’s HTTP traffic. The researcher stated, “We can assume that a large part of the internet was affected by an easy-to-exploit vulnerability.”
CERT/CC’s advisory lists Red Hat, Suse Linux, and Arista Networks as impacted entities. Arista also published an advisory that details the impact on its products. CERT/CC’s advisory has also listed various companies that haven’t been affected and countless other vendors that have yet to confirm or deny that they’ve been affected. The disclosure process for HTTP/2 Continuation Flood came into effect in early January 2024.
No comments were posted yet