Continuation flood attack causing problems on servers using HTTP/2.0

Information has been disclosed about the β€œContinuation flood” attack method affecting various implementations of the HTTP/2 protocol, including Apache httpd, Apache Traffic Server, Node.js, oghttp, Go net/http2, Envoy, oghttp and nghttp2. The vulnerability can be used to carry out attacks on servers that support HTTP/2.0 and, depending on the implementation, leads to memory exhaustion (stopping request processing or crashing processes) or creating a high CPU load (slowdown of request processing). According to the researcher who discovered the vulnerability, the identified problem is more dangerous than the β€œRapid Reset” vulnerability found last year, which was used to carry out the largest DDoS attacks at that time.

The high level of danger is explained by the fact that in order to disrupt the work ServerTo cause a crash, or a significant performance degradation, it's enough to create a stream of specially crafted requests from a single, regular computer. In certain cases, even a single TCP connection is enough to carry out an attack. Moreover, attack-related traffic doesn't stand out in logs from regular user requests.

The vulnerability is caused by the processing of HEADERS and CONTINUATION frames in HTTP/2 requests. HEADERS frames are used in HTTP/2 to send HTTP headers, and CONTINUATION frames are used to split the sending of HTTP headers into several stages (for example, when the headers do not fit into one frame, or when headers that can be filled in at the current stage should be sent first, and then resend headers whose values ​​cannot yet be determined). When sending headers in multiple stages, a HEADERS frame without the END_HEADERS flag is sent first, followed by several CONTINUATION frames with additional headers, and a CONTINUATION frame with the END_HEADERS flag ends the list.

The attack method consists of sending a continuous stream of CONTINUATION frames without setting the END_HEADERS flag. This activity results in the transmission of server A large number of headers, which the server stores in RAM until the available memory is exhausted. To create a high CPU load, in addition to memory exhaustion, an attacker can exploit compression of CONTINUATION frames using the HPACK format, which requires computational effort to parse. In HTTP/1.1 implementations, header size limits and connection timeouts were used to protect against header flooding. Due to the increased complexity of the protocol, many HTTP/2 implementations did not implement such protection against infinite header sending.

The vulnerability is most dangerous for users of Node.js (CVE-2024-27983), since this implementation can cause a crash by sending just a few frames to the server. Due to race conditions in Node.js, in order to cause an abort via an Assert check, it is sufficient to terminate connections while sending an incomplete header stream (crash if a CONTINUATION frame with the END_HEADERS flag has not yet arrived when connections are closed). The vulnerability is fixed in Node.js 18.20.1, 21.7.2 and 20.12.1, as well as in recent releases of the llhttp and undici libraries. New versions of Node.js also eliminate a less dangerous vulnerability (CVE-2024-27982) of the β€œrequest smuggling” class, which allows, through manipulation of the β€œContent Length” value, to wedge into the contents of requests from other users processed in the same thread between the frontend and backend.

CONTINUATION handling vulnerabilities in other HTTP/2.0 implementations:

  • oghttp (CVE-2024-27919) - unlimited memory consumption.
  • Tempesta FW (CVE-2024-2758) - bypass restrictions.
  • PHP library amphp/http, amphp/http-client and amphp/http-server (CVE-2024-2653) - unlimited memory consumption, up to the complete exhaustion of available memory.
  • Go package net/http (CVE-2023-45288) - creates high CPU load.
  • nghttp2 library (CVE-2024-28182) - denial of service.
  • Apache Httpd (CVE-2024-27316 - excessive memory consumption and CPU load.
  • Apache Traffic Server (CVE-2024-31309 - excessive resource consumption.
  • Envoy (CVE-2024-30255) - creating a high load on the CPU (a 300Mbit/s thread is required to fully load one CPU core).

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster