New HTTP/2 DoS attack can crash web servers with a single connection

Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service (DoS) attacks, crashing web servers with a single TCP connection in some implementations.

HTTP/2 is an update to the HTTP protocol standardized in 2015, designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple requests and responses over a single connection, and header compression to reduce overhead

The new CONTINUATION Flood vulnerabilities were discovered by researcher Barket Nowotarski, who says that it relates to the use of HTTP/2 CONTINUATION frames, which are not properly limited or checked in many implementations of the protocol.

HTTP/2 messages include header and trailer sections serialized into blocks. These blocks can be fragmented across multiple frames for transmission, and the CONTINUATION frames are used for stitching the stream.

The omission of proper frame checks in many implementations allows threat actors to potentially send an extremely long string of frames by simply not setting the 'END_HEADERS' flag, leading to server outages due to out-of-memory crashes or CPU resource exhaustion as these frames are processed.

The researcher warned that out of memory conditions could lead to server crashes using a single HTTP/2 TCP connection in some implementations.

"Out of Memory are probably the most boring yet severe cases. There is nothing special about it: no strange logic, no interesting race condition and so on," Nowotarski explains.

"The implementations that allow OOM simply did not limit the size of headers list built using CONTINUATION frames."

"Implementations without header timeout required just a single HTTP/2 connection to crash the server."

An alert from the CERT Coordination Center (CERT-CC) published today lists several CVE IDs corresponding to different HTTP/2 implementations vulnerable to these attacks.

These implementations allow varying levels of denial of service attacks, including memory leaks, memory consumption, and CPU exhaustion, as described below:

• CVE-2024-27983: Affects Node.js HTTP/2 server. Sending a few HTTP/2 frames can cause a memory leak due to a race condition, leading to a potential DoS.
• CVE-2024-27919: Affects Envoy's oghttp codec. Unlimited memory consumption due to not resetting a request when header map limits are exceeded.
• CVE-2024-2758: Relates to Tempesta FW. Its rate limits are not effectively preventing empty CONTINUATION frames attacks, potentially allowing DoS.
• CVE-2024-2653: Affects amphp/http. It collects CONTINUATION frames in an unbounded buffer, risking an OOM crash if the header size limit is exceeded.
• CVE-2023-45288: Affects Go's net/http and net/http2 packages. Allows an attacker to send an arbitrarily large set of headers, causing excessive CPU consumption.
• CVE-2024-28182: Involves an implementation using nghttp2 library, which continues to receive CONTINUATION frames, leading to a DoS without proper stream reset callback.
• CVE-2024-27316: Affects Apache Httpd. Continuous stream of CONTINUATION frames without the END_HEADERS flag set can be sent, improperly terminating requests.
• CVE-2024-31309: Affects Apache Traffic Server. HTTP/2 CONTINUATION DoS attack can cause excessive resource consumption on the server.
• CVE-2024-30255: Affects Envoy versions 1.29.2 or earlier. Vulnerable to CPU exhaustion due to a flood of CONTINUATION frames, consuming significant server resources.

Severe impact

So far, according to CERT-CC, vendors and HTTP/2 libraries who have confirmed they are impacted by at least one of the above CVEs are Red Hat, SUSE Linux, Arista Networks, the Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language.

Nowotarski says the problem is more severe than the 'HTTP/2 Rapid Reset' attack revealed last October by major cloud service providers, which has been under active exploitation since August 2023.

"Given that Cloudflare Radar estimates HTTP traffic data above 70% of all internet transfer and significance of affected projects I believe that we can assume that large part of internet was affected by an easy-to-exploit vulnerability: in many cases just a single TCP connection was enough to crash the server, " warned Nowotarski.

Also, the researcher warns that the problem would be complex for server administrators to debug and mitigate without proper HTTP/2 knowledge.

That's because the malicious requests wouldn't be visible in the access logs if advanced frame analytics isn't enabled on the server, which in most cases isn't.

As threat actors commonly monitor for newly discovered DDoS techniques to use in their stresser services and attacks, it is critical to upgrade impacted servers and libraries before the vulnerabilities are actively exploited.