The HTTP/2 Continuation Flood: A New Era of Denial-of-Service Threats Emerges

Cybersecurity expert Bartek Nowotarski recently unveiled a novel denial-of-service (DoS) attack strategy known as the HTTP/2 Continuation Flood. This method represents a considerable escalation in threat level compared to the well-documented Rapid Reset attack. Following this revelation, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University swiftly released an advisory to tackle the vulnerabilities identified in various organizations.

The Continuation Flood involves a critical mishandling of HEADERS and CONTINUATION frames within various HTTP/2 protocol implementations, creating a scenario where an unbroken flow of CONTINUATION frames, lacking the essential END_HEADERS flag for request finalization, leads to potential service disruption. This oversight allows attackers to flood servers with CONTINUATION frames, causing either processing without memory list appending or an out-of-memory (OOM) crash.

This new vulnerability contrasts with the Rapid Reset flaw identified in October 2023, which exploited a feature within HTTP/2 to launch some of the largest DDoS attacks witnessed by entities such as Google, Cloudflare, and AWS. The stealth of the Continuation Flood, affecting websites and APIs reliant on HTTP/2 without detection in HTTP access logs, complicates the challenge of mitigation.

The stealthy nature of this attack method underscores the difficulties in detection and mitigation, noting that without a nuanced understanding of the HTTP/2 protocol, administrators would struggle to identify and address such attacks. This is compounded by the fact that malicious requests fail to close properly, eluding detection in server access logs and necessitating intricate analysis of raw connection data.

Cloudflare data indicates that HTTP/2 traffic constitutes over 60% of real user HTTP traffic, suggesting the Continuation Flood could potentially impact a vast portion of the internet. The assignment of individual CVE identifiers to various impacted implementations, such as AMPHP, Apache HTTP Server, and Envoy, alongside the initiation of patches and mitigations, highlights the extensive nature of this threat.

Furthermore, the CERT/CC advisory lists affected entities including Red Hat, Suse Linux, and Arista Networks, with Arista releasing its advisory on product impacts. The advisory also mentions organizations that have confirmed their systems are unaffected and many vendors currently assessing their vulnerability status.

This responsible disclosure process, initiated in early January 2024, emphasizes the critical importance of collaborative security efforts to thwart the exploitation of vulnerabilities like the HTTP/2 Continuation Flood.

Identifying New Vulnerabilities in HTTP/2

Expanding on Nowotarski’s findings, additional vulnerabilities within HTTP/2 implementations have been identified, each with distinct CVE identifiers, presenting a range of DoS exploits from memory leaks and uncontrolled memory consumption to CPU overload:

  • The Node.js HTTP/2 server is vulnerable to a DoS attack due to a race condition that can trigger a memory leak when processing certain HTTP/2 frames, as identified in CVE-2024-27983.
  • Envoy’s oghttp codec faces a vulnerability (CVE-2024-27919) where a request’s failure to reset upon exceeding header map limits leads to unlimited memory consumption, setting the stage for DoS.
  • In the case of Tempesta FW (CVE-2024-2758), its inability to thwart attacks employing empty CONTINUATION frames exposes it to potential DoS attacks.
  • The amphp/http library (CVE-2024-2653) risks an out-of-memory (OOM) crash due to its handling of CONTINUATION frames in an unrestricted buffer, potentially if the header size limit is breached.
  • Go’s net/http and net/http2 packages (CVE-2023-45288) allow attackers to induce excessive CPU consumption by sending an abnormally large set of headers, leading to service degradation.
  • A flaw in nghttp2 library (CVE-2024-28182) that continues processing CONTINUATION frames without proper stream reset mechanisms can lead to DoS attacks.
  • Apache Httpd (CVE-2024-27316) allows an unending stream of CONTINUATION frames without the END_HEADERS flag, improperly terminating requests and potentially enabling DoS attacks.
  • Apache Traffic Server is identified as susceptible to resource exhaustion from an HTTP/2 CONTINUATION DoS attack (CVE-2024-31309), stressing server capabilities.
  • Earlier versions of Envoy (up to 1.29.2) encounter CPU overload from a flood of CONTINUATION frames (CVE-2024-30255), consuming significant server resources.

Entities such as Red Hat, SUSE Linux, Arista Networks, and the Apache HTTP Server Project, alongside nghttp2, Node.js, AMPHP, and the Go Programming Language, are confirmed to be impacted by one or more of these vulnerabilities.

This extensive array of vulnerabilities indicates a situation more precarious than that posed by the ‘HTTP/2 Rapid Reset’ attack disclosed last year, emphasizing the ease with which these vulnerabilities can be exploited—often requiring merely a single TCP connection to compromise server functionality. Given Cloudflare Radar’s data, indicating that HTTP traffic accounts for a significant majority of internet transfers, the potential impact is vast, underscoring the urgency for collective action in addressing these security challenges.

To protect your systems against the HTTP/2 Continuation Flood attack and similar vulnerabilities, we recommend taking the following steps:

Advisory on the HTTP/2 Continuation Flood Attack

Immediate Assessment and Patching: It’s crucial for organizations to quickly evaluate their risk level concerning the HTTP/2 Continuation Flood and other related security weaknesses. Applying patches and updates from vendors, such as Apache, Envoy, and Node.js, should be a top priority to reduce identified threats.

Enhanced Monitoring: The covert nature of this attack means it might not show up in standard HTTP access logs. Therefore, improving monitoring processes is essential. Pay special attention to analyzing raw connection data for any irregularities that could signal an attack in progress.

Collaboration and Sharing: The complexity of the Continuation Flood attack highlights the necessity of working together in the cybersecurity community. Exchange threat information and defensive strategies with colleagues and engage in forums dedicated to cybersecurity to keep abreast of new threats and defense mechanisms.

Comprehensive Security Strategy: In addition to quick fixes, formulating a broad security strategy is key. This strategy should encompass regular system audits, the latest updates, and training for staff. A deep understanding of HTTP/2 and similar protocols will enable administrators to better recognize and mitigate attacks.

Vendor Communication: Make sure to communicate with your vendors to check the progress of their vulnerability assessments and when patches will be available. Keeping your security solutions and infrastructure updated with the latest vendor recommendations is crucial for maintaining defense readiness.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.