New HTTP/2 Vulnerability: CONTINUATION Flood Exposes Servers to DoS Attacks

A recently discovered vulnerability in the HTTP/2 protocol, dubbed “CONTINUATION Flood,” allows attackers to launch denial-of-service (DoS) attacks potentially more severe than previously known methods. This article explores the technical details of the exploit, its impact on web servers, and mitigation strategies.

What is HTTP/2 CONTINUATION Flood?

HTTP/2 is a faster and more efficient version of the Hypertext Transfer Protocol used for web communication. It utilizes “frames” to transmit data in smaller chunks. CONTINUATION frames, specifically, are designed to extend HTTP headers that might become too large for a single frame.

The vulnerability arises from flaws in how some HTTP/2 server implementations handle CONTINUATION frames. These implementations may lack proper limitations or sanitization checks on the number of CONTINUATION frames received within a single stream.

An attacker can exploit this by sending a malicious stream containing a massive number of CONTINUATION frames without the “END_HEADERS” flag, which typically signals the end of the header block. This overwhelming stream can cause the server to:

• Crash: In severe cases, the server might exhaust its memory resources and crash completely.
• Performance Degradation: Even if the server doesn’t crash, processing the excessive frames can consume significant CPU and memory, leading to sluggish performance and potentially impacting legitimate users.
• Memory Leaks: The attack may trigger memory leaks within the server, gradually depleting available memory and causing instability over time.

Why is CONTINUATION Flood Concerning?

The severity of CONTINUATION Flood lies in its potential for single-connection attacks. Unlike traditional DoS attacks that barrage a server with numerous requests from various sources, this exploit requires just a single TCP connection to disrupt server functionality. This makes it more challenging to detect and mitigate using traditional methods that focus on identifying and filtering out large volumes of traffic.

Security researchers believe CONTINUATION Flood poses a greater threat compared to the “Rapid Reset” attack discovered in 2023, which was used to launch record-breaking DDoS attacks.

Mitigating the Threat of CONTINUATION Flood

Fortunately, several steps can be taken to mitigate the risks associated with CONTINUATION Flood:

• Update HTTP/2 Implementations: Server administrators should prioritize updating their HTTP/2 libraries and frameworks to patched versions that address the CONTINUATION Flood vulnerability. Security advisories from organizations like CERT/CC typically list affected software and corresponding CVE identifiers for reference.
• Implement Frame Limits: Server-side configurations can be adjusted to impose limitations on the number and size of CONTINUATION frames allowed within a single stream. This helps prevent resource exhaustion even if an attack attempt is made.
• Monitor Server Performance: Closely monitor server performance metrics like memory usage and CPU load to identify any unusual spikes that might indicate a CONTINUATION Flood attack in progress.

By implementing these measures, web server administrators can significantly reduce the risk of falling victim to CONTINUATION Flood DoS attacks and ensure continued service availability for legitimate users.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.