Unraveling the HTTP/2 CONTINUATION Flood: A New Cybersecurity Threat Exposed
Charles M. Walls | April 4, 2024 | Views: 188
Recent investigations have unveiled a critical vulnerability in the HTTP/2 protocol, opening the door to potential denial-of-service (DoS) attacks. Dubbed the HTTP/2 CONTINUATION Flood, this flaw was first identified by cybersecurity expert Bartek Nowotarski and reported to the CERT Coordination Center (CERT/CC) on January 25, 2024. The issue lies in how certain HTTP/2 implementations manage CONTINUATION frames within a single data stream, as highlighted in an advisory released by CERT/CC on April 3, 2024.
"An onslaught of CONTINUATION frames sent to a server can either be improperly added to the header list or processed without being appended, leading to an out-of-memory (OOM) crash," the advisory explains. HTTP/2 builds on the structure used by its predecessor, HTTP/1, by employing header fields in requests and responses, which are organized into header lists and then segmented into blocks for transmission. Notably, the CONTINUATION frame, identified by type=0x9, facilitates the extension of a sequence of header block fragments.
This vulnerability, referred to as CONTINUATION Flood, is considered significantly more threatening than the Rapid Reset attack uncovered in October 2023. According to Nowotarski, it allows for the possibility of a single machine—or in some cases, just one TCP connection or a few frames—to severely compromise server functionality. This could manifest as server crashes or considerable declines in performance, with the nefarious traffic conveniently evading detection in HTTP access logs.
Essentially, an attacker can kickstart a new HTTP/2 stream to a susceptible server, bombarding it with HEADERS and CONTINUATION frames lacking the END_HEADERS flag, thereby generating an endless header stream for the server to decode and store. The consequences of such attacks can vary, from immediate crashes to CPU exhaustion, all of which jeopardize server availability.
"Although RFC 9113 outlines several security concerns related to CONTINUATION frames, it does not specifically address scenarios where these frames are sent sans the crucial END_HEADERS flag, which can severely impact affected servers," Nowotarski noted.
The flaw has been identified across multiple software projects, including amphp/http, Apache HTTP Server, Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, h2 Rust crate, nghttp2, Node.js, and Tempesta FW. To safeguard against potential exploits, users are urged to update their software to the latest versions. In cases where a patch is not yet available, temporarily disabling HTTP/2 on the server is recommended as a precautionary measure.