2024 HTTP/2 CONTINUATION Flood A class of vulnerabilities I discovered and worked on in Q1 of 2024. Affects multiple HTTP/2 implementations: amphp/http (CVE-2024-2653), Apache HTTP Server (httpd) (CVE-2024-27316), Apache Tomcat (CVE-2024-24549), Apache Traffic Server (CVE-2024-31309), Envoy proxy (CVE-2024-27919, CVE-2024-30255), Golang (CVE-2023-45288), nghttp2 (CVE-2024-28182), Node.js (CVE-2024-27983), Tempesta FW (CVE-2024-2758) and more. 2023 Vulnerabilities connected to net/textproto.Re...| nowotarski.info
Preface In October 2023 I learned about HTTP/2 Rapid Reset attack, dubbed “the largest DDoS attack to date”. I didn’t have deep knowledge of HTTP/2 back then. I knew its basics like frames or HPACK but I was focusing more on HTTP/1.1 protocol and programming languages vulnerabilities. I decided to dedicate time to exploring HTTP/2 from a security analysis perspective after concluding my then-current research. A quick intro to HTTP/2 The main difference between HTTP/1.| nowotarski.info