New HTTP/2 DoS attack can crash web servers with a single connection
Briefly

from BleepingComputer4 weeks ago
The new CONTINUATION Flood vulnerabilities were discovered by researcher Barket Nowotarski, who says that it relates to the use of HTTP/2 CONTINUATION frames, which are not properly limited or checked in many implementations of the protocol.
BleepingComputerhttps://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/
The omission of proper frame checks in many implementations allows threat actors to potentially send an extremely long string of frames by simply not setting the 'END_HEADERS' flag, leading to server outages due to out-of-memory crashes or CPU resource exhaustion as these frames are processed.
BleepingComputerhttps://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/
Nowotarski explains: 'Out of Memory are probably the most boring yet severe cases. There is nothing special about it: no strange logic, no interesting race condition and so on.'
BleepingComputerhttps://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/
'Implementations without header timeout required just a single HTTP/2 connection to crash the server.'
BleepingComputerhttps://www.bleepingcomputer.com/news/security/new-http-2-dos-attack-can-crash-web-servers-with-a-single-connection/
Read at BleepingComputer
#http2-protocol #vulnerabilities #denial-of-service-attacks #web-performance #security
[
add
]
[
|
|
]