"New HTTP/2 DoS Attack Potentially More Severe Than Record-Breaking Rapid Reset"
A researcher named Bartek Nowotarski has disclosed a new Denial-of-Service (DoS) attack method called "HTTP/2 Continuation Flood," which could pose a more serious threat than Rapid Reset, the vulnerability exploited in 2023 to launch the largest Distributed DoS (DDoS) attacks ever. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University (CMU) helped coordinate disclosure with impacted companies and open source projects. HTTP/2 Continuation Flood is a class of vulnerabilities impacting many HTTP/2 protocol implementations. It stems from the incorrect handling of HEADERS and multiple CONTINUATION frames. The method involves sending a stream of CONTINUATION frames without the END_HEADERS flag to properly close the request. This article continues to discuss the HTTP/2 Continuation Flood DoS attack method.
Submitted by grigby1