A new attack method called “Continience Flood” affecting various implementations of the HTTP/2 protocol has been disclosed. This vulnerability can be exploited to launch attacks on servers supporting HTTP/2.0, potentially leading to memory exhaustion or high CPU load. The impact of this vulnerability is considered more severe than the “Rapid Reset” vulnerability discovered last year.
The danger lies in the fact that a regular computer can create a stream of specially crafted requests to disrupt a server or significantly decrease its performance. In some cases, even a single TCP connection is sufficient to carry out the attack, with the malicious traffic blending in with legitimate user requests in server logs.
The vulnerability is attributed to the way Headers and Continuation frames are handled in HTTP/2 Protocol requests. Headers are used to transfer HTTP headers, while Continuation frames break down the transmission of headers into multiple stages. By sending an ongoing stream of Continuation frames without an End_headers flag, an attacker can overwhelm a server with a large number of headers, exhausting the server’s memory.
Additionally, the attacker can increase CPU load by compressing the content of the Continuation frames using hpack, which requires additional calculations. Unlike HTTP/1.1 implementations, many HTTP/2 implementations lack mechanisms to protect against excessive header flooding.