The HTTP/2 CONTINUATION Flood: A New Denial-of-Service Threat Explained
In the ongoing effort to build a faster and more efficient web, the HTTP/2 protocol has been a game-changer. It allows for more responsive websites and applications by handling multiple requests over a single connection. However, a recently discovered vulnerability, dubbed the “HTTP/2 CONTINUATION Flood,” exposes a critical weakness that can be exploited to crash web servers with minimal effort, leading to significant service disruptions.
This sophisticated Denial-of-Service (DoS) attack targets a fundamental aspect of how HTTP/2 processes data, making it a widespread threat to a vast range of online services. Understanding how this attack works is the first step toward securing your infrastructure.
How HTTP/2 Handles Headers
To understand the vulnerability, it’s important to know how HTTP/2 manages HTTP headers—the metadata sent with every web request. Unlike its predecessor, HTTP/1.1, which sends headers as a simple block of text, HTTP/2 uses a more complex system of frames.
A request’s headers begin in a HEADERS frame. If the headers are too large to fit in a single frame, they are continued across one or more CONTINUATION frames. The server receives these frames and pieces them together in memory until it sees a special flag, the END_HEADERS flag, which signals that the header sequence is complete. Only then does the server process the full request.
The Mechanics of the CONTINUATION Flood Attack
The CONTINUATION Flood attack cleverly exploits this process. An attacker initiates a standard HTTP/2 connection but crafts a malicious request sequence.
- An initial
HEADERSframe is sent to begin the request. - The attacker then sends a long, continuous stream of
CONTINUATIONframes. - Crucially, the attacker never sends the
END_HEADERSflag.
Because the server never receives the signal to stop, it is forced to keep accepting the CONTINUATION frames and allocating more memory to store the ever-growing, incomplete header block. This process continues until the server’s memory is completely exhausted, causing it to slow down, become unresponsive, and ultimately crash.
This is a particularly dangerous form of DoS attack because a single, malicious connection from an attacker can monopolize a server’s resources and bring it down. It’s a low-effort, high-impact exploit.
Why This Vulnerability is So Critical
The seriousness of the HTTP/2 CONTINUATION Flood stems from several key factors:
- Widespread Impact: The vulnerability doesn’t lie in a single piece of software but in the interpretation of the HTTP/2 protocol itself. This means many different web servers, reverse proxies, and load balancers are potentially affected.
- Resource Exhaustion: The attack directly targets server memory, one of the most critical system resources. A successful attack leads to a hard crash, requiring a manual restart and causing a complete service outage.
- Stealth and Efficiency: Unlike traditional DDoS attacks that require massive traffic volume, this attack can be executed from a single machine. It can be difficult to distinguish from a legitimate, slow-running request, allowing it to evade some basic security measures.
Actionable Steps to Protect Your Servers
Protecting your infrastructure requires a proactive approach. Simply waiting for an attack to happen is not a viable strategy. System administrators and developers should take the following steps immediately to mitigate the risk.
1. Update and Patch Your Software Immediately
This is the most important line of defense. Software vendors, including the teams behind major web servers like Apache and Nginx, as well as development platforms like Node.js, have released patches to address this vulnerability. Check for and apply security updates for all your web-facing components, including:
- Web servers
- Reverse proxies
- Load balancers
- Content Delivery Networks (CDNs)
2. Implement and Enforce Strict Limits
The core fix for this issue involves setting a hard limit on the number of CONTINUATION frames that a server will accept for a single request. Once this limit is reached, the server should immediately terminate the connection and treat it as malicious. If you manage your server configuration, ensure that your HTTP/2 implementation has a reasonable limit set for header frames. Do not allow an infinite or excessively large number of frames.
3. Leverage a Web Application Firewall (WAF)
A properly configured WAF can provide an essential layer of protection. Many modern WAFs can inspect incoming traffic for protocol anomalies. They can be configured to identify and block connections that send an abnormally high number of CONTINUATION frames, dropping the malicious traffic before it ever reaches your origin server.
4. Monitor Server Health and Resources
Keep a close watch on your server’s memory and CPU usage. An unexplained spike in memory consumption on a web server could be an early indicator of a CONTINUATION Flood attack. Set up alerts to notify your team of anomalous resource usage so you can investigate and respond quickly.
By understanding the threat and taking these decisive actions, you can safeguard your services against this serious vulnerability and ensure the continued stability and availability of your web infrastructure.
Source: https://blog.cloudflare.com/go-and-enhance-your-calm/
