Two fast, two furious
HTTP/2 – a major revision of the HTTP network protocol used across the web – is prone to a series of denial-of-service problems.
A variety of HTTP/2 implementations are affected by several distinct resource exhaustion vectors when they attempt to handle abnormal traffic, security researchers at Netflix and Google have discovered.
Any of the issues create a possible mechanism for miscreants to launch distributed denial-of-service (DDoS) attacks against servers that support HTTP/2 communication.
Several vendors have already applied patches, which websites running the supported technology are advised to apply.
In the absence of an available patch, or in cases where it’s impractical to apply it promptly, users are advised to suspend support for HTTP/2, as a precaution.
None of the HTTP/2 vulnerabilities would allow an attacker to snoop on or modify information, but they do present the potential of allowing someone to crash vulnerable servers.
In an advisory, Netflix explains: “Many of the attack vectors we found… are variants on a theme: a malicious client asks the server to do something which generates a response, but the client refuses to read the response. This exercises the server’s queue management code.”
“Depending on how the server handles its queues, the client can force it to consume excess memory and CPU while processing its requests,” it adds.
A total of eight DDoS flaws in HTTP/2 were disclosed on Tuesday. Seven were discovered by Jonathan Looney of Netflix with the other discovered by Piotr Sikora of Google.
Netflix’s advisory offers a low down on these various flaws. A CERT/CC vulnerability note adds a list of affected vendors.
HTTP/2 is a step change from HTTP/1.1 that adds several features, including header compression and multiplexing of data from multiple streams.
Around 40% of the top 10 million websites support HTTP/2, according to the latest figures from W3Techs.