HTTP/2 network protocol exposes web server are vulnerable to attacks that should burn feasible a denial-of-service (DoS) attack, affected to this vulnerable to many most popular server like Facebook, Microsoft, Amazon, Apple, Apache, Nginx, Node.js.
According to W3Techs, as of August 2019, 40% of the top 10 million websites supported HTTP/2 including popular website like google, facebook, wiki,qq.
Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service (DoS) attacks. http/2 which are launce in 2015 for better internet security and experience by improving page load but recently Jonathan Looney of Netflix and one by Piotr Sikora of Google discover seven out of eight in vulnerable Jonathan Looney and another one Piotr Sikora has been discovered a total of eight flaws in May 2019 and responsibly informed them to each of the affected vendors and maintainers, which are allotting a client to overload the server’s queue control code. These attack vectors allow a remote attacker to consume excessive system resources.
A vulnerabilities note from the kb.cert organization report matrix of vendors that may be affected products and DDoS vulnerabilities. All discovered by Jonathan Looney of Netflix, except for CVE-2019-9518 which was discovered by Piotr Sikora of Google.
The individual HTTP/2 vulnerabilities discovered included in Below
CVE-2019-9511 HTTP/2 Data Dribble:- Attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9512 HTTP/2 Ping Flood:- Attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9513 HTTP/2 Resource Loop:- Attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVE-2019-9514 HTTP/2 Reset Flood:- Attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service
CVE-2019-9515 HTTP/2 Settings Flood:- Attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgment per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9516 HTTP/2 0-Length Headers Leak:- Attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVE-2017-9517 — HTTP/2 “Internal Data Buffering”:- Attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9518 HTTP/2 Request Data/Header Flood:- Attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service. (Discovered by Piotr Sikora of Google)
A malicious client asks the server to do something which generates a response, but the client refuses to read the response. This exercises the server’s queue management code. Depending on how the server handles its queues, the client can force it to consume excessive memory and CPU while processing its requests.