Author Topic: HTTP/2 CONTINUATION Flood  (Read 266 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7872
  • Country: de
  • A qualified hobbyist ;)
HTTP/2 CONTINUATION Flood
« on: April 05, 2024, 12:12:19 pm »
For anyone running an HTTP/2 webserver: https://nowotarski.info/http2-continuation-flood/

From the webpage:
Quote
tl;dr: The CONTINUATION Flood is a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation. Remarkably, requests that constitute an attack are not visible in HTTP access logs.

BTW, Apache httpd v2.4.59 (includes fix) was released yesterday.
 
The following users thanked this post: SiliconWizard


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf