HTTP/2 Implementation Flaws Opens Websites to DoS Attacks

Walden Systems Geeks Corner News HTTP/2 Implementation Flaws Opens Websites to DoS Attacks Ruhterford NJ New Jersey NYC New York City North Bergen County
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.

Flaws were found in vendor server configurations from Amazon, Google, Microsoft and Apache. In all, eight bugs were found in the implementation of HTTP/2, the most recent version of the HTTP protocol. The bugs can be exploited to conduct a denial of service attack and deny access to websites.

HTTP/2 is an update to the HTTP protocol, introduced in 2015. The update was meant as a faster and simpler alternative to HTTP/1. Hypertext Transfer Protocol, or HTTP, is a fundamental protocol used on the internet for data exchange on the Web. Hackers can exploit these HTTP/2 vulnerabilities by sending specially crafted requests to vulnerable servers. An affected server will attempt to process the request and attempt to send a response. However, the malicious client ignores the response, leading to high resource usage, which would result in a denial of service.


The vulnerabilities can only be used to cause a DoS and don't allow hackers to compromise the confidentiality or integrity of the data contained within the vulnerable servers. The flaws were discovered by a security team comprised of Netflix, Google and CERT, reported the issues to each of the affected vendors. Affected vendors include NGINX, Apache, H2O, Nghttp2, Microsoft IIS, Cloudflare, Akamai, Apple SwiftNIO, Amazon, Facebook Proxygen, Node.js, and Envoy proxy.

Cloudflare, which uses NGINX software to handle HTTP/2, has patched all instances of vulnerable software. Apple also released fixes for its implantation of HTTP/2. Apple cited that an attack on a server may consume unbounded amounts of memory when receiving certain traffic patterns and eventually suffer resource exhaustion.