Hi Community,
Our recent blog post highlighted that there is a widely reported HTTP/2 vulnerability that can be used to generate a DDoS. This is primarily of interest to our Cloud WAF customers, although WAF Gateway customers may also wish to know more.
The following steps can be used for mitigation:
Description
Recently, a class of vulnerabilities in HTTP/2 implementations was published, dubbed HTTP/2 CONTINUATION Flood. This attack leverages the CONTINUATION frame that is being sent without setting the END_HEADERS, which in return creates an infinite stream of headers that HTTP/2 server would need to parse and store in memory.
Attackers can exploit this feature to cause Denial-of-Service attacks by sending a large amount of CONTINUATION frames that will ultimately exhaust the server’s resources (CPU/memory) to a point that it might crash. The attack leverages the inherent functionality of the HTTP/2 protocol, making it particularly challenging to detect and mitigate without affecting normal traffic.
Please see the Imperva blog at https://www.imperva.com/blog/http-2-continuation-flood-vulnerability/
Mitigation
Cloud WAF
For CWAF customers the required policies have been applied and enabled, and is currently protecting customers from the DDoS attack.
On-Prem
The required policy is already available but, the specific rule is disabled by default.
The rule is part of the HTTP/1 security policy, but HTTP/2 is covered.
The specific rule name is "Too many headers in request "
To access the rule, from the MX UI
- Navigate to Policy >>> Security
- Locate Policy name: HTTP/1.x Protocol Policy
- Find rule - Too Many Headers per Request
- Go to he left and enable the rule
- Save
NOTE: Enabling this rule will only alert by default.
After monitoring you may want to set it to block
Here is a screen print of the rule
For more information, visit the following Knowledge Base article and Blog
https://docs.imperva.com/bundle/z-kb-articles-km/page/ee272c20.html
#CloudWAF(formerlyIncapsula)#On-PremisesWAF(formerlySecuresphere)