Imperva Cyber Community

 View Only

HTTP/2 CONTINUATION Flood Vulnerability

By Sarah Lamont posted 04-05-2024 05:40


Nadav Avital, Senior Director, Threat Research

HTTP/2, a widely adopted web communication protocol, organizes data transmission through a binary framing layer, wherein all communication is divided into smaller messages called frames, each identified by a specific type, such as headers, data, and continuation frames.

HTTP/2 HEADER frames facilitate the transmission of HTTP headers for requests and responses, employing the HPACK encoding algorithm for compression and efficiency. These frames can be marked with flags like END_HEADERS, indicating completion of header transmission, and END_STREAM, denoting the absence of further request/response body.

Each frame has a maximum size set at the start of communication. When a HEADER frame can’t accommodate all headers, it’s sent with the END_HEADERS flag unset, followed by CONTINUATION– a feature of the HTTP/2 protocol designed to handle large header blocks by spreading them across multiple frames– to continue the header stream.

Recently, a class of vulnerabilities in HTTP/2 implementations was published, dubbed HTTP/2 CONTINUATION Flood. This attack leverages the CONTINUATION frame that is being sent without setting the END_HEADERS, which in return creates an infinite stream of headers that HTTP/2 server would need to parse and store in memory. Attackers can exploit this feature to cause Denial-of-Service attacks by sending a large amount of CONTINUATION frames that will ultimately exhaust the server’s resources (CPU/memory) to a point that it might crash. The attack leverages the inherent functionality of the HTTP/2 protocol, making it particularly challenging to detect and mitigate without affecting normal traffic.

Imperva’s Cloud WAF includes a built-in security mechanism that prevents HTTP/2 connections from continuously sending large header information without an end. Imperva WAF Gateway customers should enable this protection; for CWAF customers, no action is required. In addition to the existing HTTP/2 security, Imperva is adding a dedicated measurement mechanism to Cloud WAF that will provide insights and visibility into CONTINUATION flood attacks specifically.

Imperva Threat Research is monitoring for any new developments and will update if necessary