Home Blogs HTTP/2 Continuation Floods
Applications

About The Author

Outline

Author: Dave Andrews, Sergio Ruiz

A few months ago, Edgio was made aware of a novel HTTP/2 class of vulnerability focusing specifically on HTTP/2 CONTINUATION frames. This issue is related to the previously reported HTTP/2 Rapid Reset (CVE-2023-44487) vulnerability, which utilized the HTTP/2 protocol to very quickly create then abandon requests on a target server, as it takes advantage of common HTTP/2 server implementations’ assumptions about clients’ behavior.

CONTINUATION frames in HTTP/2 are normally utilized to send header blocks across multiple frames. For example, when initiating a request, a client can send a HEADERS frame specifying elements of the request, CONTINUATION frames to specify additional elements of the request, and then a final frame with the END_HEADERS flag set, indicating the header block is complete.

The most recent vulnerability identified in multiple HTTP/2 server implementations fails to limit the maximum number of CONTINUATION frames that the client could send, meaning that an adversary could either force the server to process the frames continuously, or worse, allocate memory indefinitely to hold the header values, leading to a remote Denial of Service. This type of flaw greatly increases the impact and susceptibility of internet infrastructure to DDoS attacks.

This vulnerability has multiple CVEs associated with it, specific to different implementations, including CVE-2024-2653, CVE-2023-45288, CVE-2024-28182, CVE-2024-27316, CVE-2024-27919, CVE-2024-2758.

Edgio’s Core Platform has deployed configuration options that limit the maximum number of CONTINUATION frames a client can send, and metrics to capture when these limits are exceeded and enforced. Edgio customers are protected from this style of attack.

Here’s how this appears in our internal monitoring systems:
http/2 continuation floods frames

This diagram shows the counts of connections exceeding the maximum CONTINUATION frames, aggregated by POP.