Imperva Cyber Community

 View Only

Manual Mitigation for HTTP/2 CONTINUATION Flood Vulnerability

By Sarah Lamont posted 04-08-2024 05:07

  

Hi Community,

Our recent blog post highlighted that there is a widely reported HTTP/2 vulnerability that can be used to generate a DDoS. This is primarily of interest to our Cloud WAF customers, although WAF Gateway customers may also wish to know more.

The following steps can be used for mitigation:

Description

Recently, a class of vulnerabilities in HTTP/2 implementations was published, dubbed HTTP/2 CONTINUATION Flood. This attack leverages the CONTINUATION frame that is being sent without setting the END_HEADERS, which in return creates an infinite stream of headers that HTTP/2 server would need to parse and store in memory.

Attackers can exploit this feature to cause Denial-of-Service attacks by sending a large amount of CONTINUATION frames that will ultimately exhaust the server’s resources (CPU/memory) to a point that it might crash. The attack leverages the inherent functionality of the HTTP/2 protocol, making it particularly challenging to detect and mitigate without affecting normal traffic.

Please see the Imperva blog at https://www.imperva.com/blog/http-2-continuation-flood-vulnerability/

Mitigation 

Cloud WAF 

For CWAF customers the required policies have been applied and enabled, and is currently protecting customers from the DDoS attack.

On-Prem 

The required policy is already available but, the specific rule is disabled by default.

The rule is part of the HTTP/1 security policy, but HTTP/2 is covered.  

The specific rule name is "Too many headers in request "

To access the rule, from the MX UI 

  •         Navigate to Policy >>> Security 
  •         Locate Policy name: HTTP/1.x Protocol Policy
  •         Find rule - Too Many Headers per Request
  •         Go to he left and enable the rule 
  •         Save 

NOTE: Enabling this rule will only alert by default.

After monitoring you may want to set it to block 

Here is a screen print of the rule 

For more information, visit the following Knowledge Base article and Blog

https://docs.imperva.com/bundle/z-kb-articles-km/page/ee272c20.html

HTTP/2 CONTINUATION Flood Vulnerability


#CloudWAF(formerlyIncapsula)
#On-PremisesWAF(formerlySecuresphere)
0 comments
20 views

Permalink