Imperva Cyber Community

 View Only

Manual Mitigation for HTTP/2 CONTINUATION Flood Vulnerability

By Sarah Lamont posted 04-08-2024 05:07


Hi Community,

Our recent blog post highlighted that there is a widely reported HTTP/2 vulnerability that can be used to generate a DDoS. This is primarily of interest to our Cloud WAF customers, although WAF Gateway customers may also wish to know more.

The following steps can be used for mitigation:


Recently, a class of vulnerabilities in HTTP/2 implementations was published, dubbed HTTP/2 CONTINUATION Flood. This attack leverages the CONTINUATION frame that is being sent without setting the END_HEADERS, which in return creates an infinite stream of headers that HTTP/2 server would need to parse and store in memory.

Attackers can exploit this feature to cause Denial-of-Service attacks by sending a large amount of CONTINUATION frames that will ultimately exhaust the server’s resources (CPU/memory) to a point that it might crash. The attack leverages the inherent functionality of the HTTP/2 protocol, making it particularly challenging to detect and mitigate without affecting normal traffic.

Please see the Imperva blog at


Cloud WAF 

For CWAF customers the required policies have been applied and enabled, and is currently protecting customers from the DDoS attack.


The required policy is already available but, the specific rule is disabled by default.

The rule is part of the HTTP/1 security policy, but HTTP/2 is covered.  

The specific rule name is "Too many headers in request "

To access the rule, from the MX UI 

  •         Navigate to Policy >>> Security 
  •         Locate Policy name: HTTP/1.x Protocol Policy
  •         Find rule - Too Many Headers per Request
  •         Go to he left and enable the rule 
  •         Save 

NOTE: Enabling this rule will only alert by default.

After monitoring you may want to set it to block 

Here is a screen print of the rule 

For more information, visit the following Knowledge Base article and Blog

HTTP/2 CONTINUATION Flood Vulnerability