Security News > 2024 > April > New HTTP/2 DoS attack can crash web servers with a single connection

Newly discovered HTTP/2 protocol vulnerabilities called "CONTINUATION Flood" can lead to denial of service attacks, crashing web servers with a single TCP connection in some implementations.

HTTP/2 is an update to the HTTP protocol standardized in 2015, designed to improve web performance by introducing binary framing for efficient data transmission, multiplexing to allow multiple requests and responses over a single connection, and header compression to reduce overhead. The new CONTINUATION Flood vulnerabilities were discovered by researcher Barket Nowotarski, who says that it relates to the use of HTTP/2 CONTINUATION frames, which are not properly limited or checked in many implementations of the protocol.

The researcher warned that out of memory conditions could lead to server crashes using a single HTTP/2 TCP connection in some implementations.

"Implementations without header timeout required just a single HTTP/2 connection to crash the server."

CVE-2024-28182: Involves an implementation using nghttp2 library, which continues to receive CONTINUATION frames, leading to a DoS without proper stream reset callback.

HTTP/2 CONTINUATION DoS attack can cause excessive resource consumption on the server.

News URL

https://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/