Security News > 2024 > April > New HTTP/2 DoS attack can crash web servers with a single connection
Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service attacks, crashing web servers with a single TCP connection in some implementations.
HTTP/2 is an update to the HTTP protocol standardized in 2015, designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple requests and responses over a single connection, and header compression to reduce overhead. The new CONTINUATION Flood vulnerabilities were discovered by researcher Barket Nowotarski, who says that it relates to the use of HTTP/2 CONTINUATION frames, which are not properly limited or checked in many implementations of the protocol.
The researcher warned that out of memory conditions could lead to server crashes using a single HTTP/2 TCP connection in some implementations.
"Implementations without header timeout required just a single HTTP/2 connection to crash the server."
CVE-2024-28182: Involves an implementation using nghttp2 library, which continues to receive CONTINUATION frames, leading to a DoS without proper stream reset callback.
HTTP/2 CONTINUATION DoS attack can cause excessive resource consumption on the server.
News URL
Related news
- New OpenSSH flaws expose SSH servers to MiTM and DoS attacks (source)
- Over 3 million mail servers without encryption exposed to sniffing attacks (source)
- Over 660,000 Rsync servers exposed to code execution attacks (source)
- New OpenSSH Flaws Enable Man-in-the-Middle and DoS Attacks — Patch Now (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-04-04 | CVE-2024-28182 | nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. | 0.0 |