HTTP/2 CONTINUATION the new DDOS affecting most Linux Servers

A recent discovery set the Linux hosting world in to abrupt action. An interesting vulnerability which affects most if not all HTTP related services while HTTP protocol 2 is already standardized in 2015.

The DDOS attack factor in HTTP/2

Cybersecurity researchers have recently uncovered a new vulnerability within the HTTP/2 protocol that allows malicious actors to execute Denial of Service (DoS) attacks, potentially crashing servers with just a single TCP connection.

This vulnerability is associated with the use of HTTP/2 CONTINUATION frames, which is why the researcher who discovered it, Barket Nowotarski, has named it the ‘CONTINUATION Flood’.

According to Trending Tech News, a Dutch technews website, HTTP/2 is the updated version of the HTTP protocol, standardized in 2015. It was designed to enhance web performance by introducing binary framing for efficient data transfer, multiplexing that allows multiple requests and responses over a single connection, and header compression to reduce overhead.

In HTTP/2 messages, header and trailer sections are serialized and placed into blocks, which can later be fragmented for transmission. CONTINUATION frames are then used to link these fragments together. However, due to inadequate frame controls, an attacker can send excessively long frames, potentially causing the CPU to crash while trying to process them.

Depending on the HTTP/2 implementation, these vulnerabilities are tracked under various CVEs. Some are more disruptive than others and can lead to DoS attacks, memory leaks, excessive memory consumption, and more: CVE-2024–27983, CVE-2024–27919, CVE-2024–2758, CVE-2024–2653, CVE-2023–45288, CVE-2024–28182, CVE-2024–27316, CVE-2024–31309, and CVE-2024–30255.

Organizations including Red Hat, SUSE Linux, Arista Networks, Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and the Go Programming Language have confirmed their vulnerability to at least one of these CVEs.

Update your servers!