Security News > 2024 > April > New HTTP/2 DoS attack can crash web servers with a single connection
Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service attacks, crashing web servers with a single TCP connection in some implementations.
HTTP/2 is an update to the HTTP protocol standardized in 2015, designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple requests and responses over a single connection, and header compression to reduce overhead. The new CONTINUATION Flood vulnerabilities were discovered by researcher Barket Nowotarski, who says that it relates to the use of HTTP/2 CONTINUATION frames, which are not properly limited or checked in many implementations of the protocol.
The researcher warned that out of memory conditions could lead to server crashes using a single HTTP/2 TCP connection in some implementations.
"Implementations without header timeout required just a single HTTP/2 connection to crash the server."
CVE-2024-28182: Involves an implementation using nghttp2 library, which continues to receive CONTINUATION frames, leading to a DoS without proper stream reset callback.
HTTP/2 CONTINUATION DoS attack can cause excessive resource consumption on the server.
News URL
Related news
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- New NachoVPN attack uses rogue VPN servers to install malicious updates (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- FBI spots HiatusRAT malware attacks targeting web cameras, DVRs (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-04-04 | CVE-2024-28182 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. | 0.0 |