Skip to main content

Exploiting HTTP/2 CONTINUATION frames for DoS attacks

blog-feature-pypi-spoof

April 8, 2024

0 mins read

About the vulnerability

The vulnerability lies in the way HTTP/2 implementations handle CONTINUATION frames, which are used to transmit header blocks larger than the maximum frame size. Attackers exploit this weakness by sending an excessive number of CONTINUATION frames within a single HTTP/2 stream. This flood of frames overwhelms the server's capacity to process them efficiently.

The severity of this vulnerability was highlighted by Bartek Nowotarski, who noted that it poses a more significant threat compared to previous incidents, such as the 'HTTP/2 Rapid Reset' attack. Furthermore, this vulnerability has been actively exploited since August 2023.

What makes this attack particularly concerning is its potential to crash web servers with just a single TCP connection or even just a handful of frames. As a result, affected servers may experience substantial performance degradation or complete unavailability.

This vulnerability affects a wide range of vendors and HTTP/2 libraries, including but not limited to Red Hat, SUSE Linux, Arista Networks, the Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language.

Affected versions

Project

Affected versions

CVE ID

amphp/http

>= 2.0.0 && <= 2.1.0, <= 1.7.2

CVE-2024-2653

Apache HTTP Server (httpd)

2.4.17-2.4.58

CVE-2024-27316

Apache Tomcat

<=11.0.0-M16, <=10.1.18, <=9.0.85, 8.5.0-8.5.98

CVE-2024-24549

Apache Traffic Server

8.0.0-8.1.9, 9.0.0-9.2.3

CVE-2024-31309

Envoy proxy (oghttp)

1.29.0, 1.29.1

CVE-2024-27919

Envoy proxy (nghttp2)

<=1.29.2

CVE-2024-30255

Golang

<=1.20, <=1.21.8, <=1.22.1

CVE-2023-45288**

nghttp2

<=1.60.0

CVE-2024-28182

Node.js

<=18.20.0, <=20.12.0, <=21.7.1

CVE-2024-27983

Tempesta FW

0.7.0

CVE-2024-2758

Impact 

Given the widespread use of HTTP/2 and its prevalence in internet traffic (estimated to be above 70% by Cloudflare Radar), the impact of this vulnerability is significant. It underscores the critical need for prompt patching and robust security measures to mitigate the risk of exploitation and protect web servers from devastating denial of service (DoS) and security restriction bypass attacks.

Mitigation

Update the impacted program to the most recent version, with the vulnerability patched in. If a patch is not available, consider temporarily turning off HTTP/2 on the server.

Solution

Patch and update: Ensure the most recent security updates are applied to your server software, relevant libraries, and HTTP/2 implementations. Check software suppliers' updates frequently, and when updates are available, install them right away to fix known vulnerabilities.

Put rate limiting into practice: Set rate limits to limit the number of requests or frames that may be handled in a given amount of time. This may lessen the effects of heavy traffic or floods.

Analyze and monitor traffic: Keep an eye out for any odd patterns or spikes in incoming traffic that could point to a possible assault. Examine unprocessed HTTP traffic to detect and address malicious requests that take advantage of holes in HTTP/2 implementations.

Use web application firewalls (WAFs): Set up WAFs to filter incoming traffic and stop malicious requests from reaching your server. Set up WAF rules to identify and stop known attack patterns linked to DoS assaults on HTTP/2.

Put network-level defenses into practice: To identify and stop suspicious traffic patterns suggestive of DoS attacks aimed at HTTP/2 implementations, employ network-level defenses like intrusion detection systems (IDS) or intrusion prevention systems (IPS).

Diversify server implementations: Work toward distributing your server implementations among other projects or providers. This can increase resistance to attacks and lessen the effect of vulnerabilities unique to a given implementation.

Detecting vulnerabilities with Snyk

  1. amphp/http (CVE-2024-2653) - Allocation of Resources Without Limits or Throttling

  2. Apache HTTP Server (CVE-2024-27316) - Uncontrolled Resource Consumption ('Resource Exhaustion')

  3. Apache Tomcat (CVE-2024-24549) - Improper Input Validation

  4. Apache Traffic Server (CVE-2024-31309) - Uncontrolled Resource Consumption ('Resource Exhaustion')

  5. Envoy proxy (CVE-2024-27919 and CVE-2024-30255) - Detection of Error Condition Without Action and Uncontrolled Resource Consumption ('Resource Exhaustion') 

  6. Golang (CVE-2023-45288) - Resource Exhaustion

  7. h2 Rust crate

  8. nghttp2 (CVE-2024-28182) - Resource Exhaustion

  9. Node.js (CVE-2024-27983)  - Resource Exhaustion

  10. Tempesta FW (CVE-2024-2758) - Allocation of Resources Without Limits or Throttling 

References

  1. https://nowotarski.info/

  2. https://nowotarski.info/http2-continuation-flood-technical-details/#reachable-assertion-crash-nodejs-special-case 

  3. https://datatracker.ietf.org/doc/html/rfc7540 

  4. https://www.securityweek.com/new-http-2-dos-attack-potentially-more-severe-than-record-breaking-rapid-reset/

blog-feature-pypi-spoof

How to Build a Security Champions Program

Snyk interviewed 20+ security leaders who have successfully and unsuccessfully built security champions programs. Check out this playbook to learn how to run an effective developer-focused security champions program.