HTTP/2 Denial of Service Advisory

Entirely unsurprising. With all this complexity, HTTP2 is on par with a full TCP&#x2F;IP stack. All major operating systems had decades to optimize and bulletproof these, and <i>still</i> to this day we find issues with them every now and then. What did people expect would happen when we start reinventing the wheel yet again, <i>on top of what we already have</i>?<p>And this is just the tip of the iceberg. Consider this a warm-up exercise.

I somewhat wish there was a way to test if any http2 server is vulnerable to these issues:<p>* <a href="https:&#x2F;&#x2F;godoc.org&#x2F;golang.org&#x2F;x&#x2F;net&#x2F;http2" rel="nofollow">https:&#x2F;&#x2F;godoc.org&#x2F;golang.org&#x2F;x&#x2F;net&#x2F;http2</a><p>* <a href="https:&#x2F;&#x2F;www.haproxy.com&#x2F;blog&#x2F;haproxy-1-9-has-arrived&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.haproxy.com&#x2F;blog&#x2F;haproxy-1-9-has-arrived&#x2F;</a><p>* <a href="https:&#x2F;&#x2F;repo1.maven.org&#x2F;maven2&#x2F;org&#x2F;eclipse&#x2F;jetty&#x2F;http2&#x2F;" rel="nofollow">https:&#x2F;&#x2F;repo1.maven.org&#x2F;maven2&#x2F;org&#x2F;eclipse&#x2F;jetty&#x2F;http2&#x2F;</a><p>* etc…<p>Larger list at <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;HTTP&#x2F;2#Server_software" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;HTTP&#x2F;2#Server_software</a>

Cloudflare post on this: <a href="https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;on-the-recent-http-2-dos-attacks&#x2F;" rel="nofollow">https:&#x2F;&#x2F;blog.cloudflare.com&#x2F;on-the-recent-http-2-dos-attacks...</a>

Here is a server vulnerability matrix... pretty much if you are running HTTP&#x2F;2 you are exposed and your vendor has a patch waiting for you.<p><a href="https:&#x2F;&#x2F;vuls.cert.org&#x2F;confluence&#x2F;pages&#x2F;viewpage.action?pageId=56393752" rel="nofollow">https:&#x2F;&#x2F;vuls.cert.org&#x2F;confluence&#x2F;pages&#x2F;viewpage.action?pageI...</a>

Envoy appears to have been updated today to 1.11.1 to mitigate some of these issues. I upgraded and have not experienced any problems yet.

Caddy is patched. v1.0.2. <a href="https:&#x2F;&#x2F;github.com&#x2F;caddyserver&#x2F;caddy&#x2F;releases&#x2F;tag&#x2F;v1.0.2" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;caddyserver&#x2F;caddy&#x2F;releases&#x2F;tag&#x2F;v1.0.2</a>

It&#x27;s a nice write-up, really, but any HTTP&#x2F;2 implementation should be tested with a nice packet fuzzer. Indeed, server providers should compete in the square miles of the datacenter they use to run the fuzzer. Also, the best servers should come with several defense perimeters, including one with geo-ip-directed tactic missiles. Nothing less will do.

Is there a better list of fixed versions for E.G. Apache &#x2F; Lighttpd (n&#x2F;a No http&#x2F;2 support) &#x2F; Nginx?

Flow control in application protocols over TCP has been tried (in SSHv2), and it&#x27;s failed. In SSHv2 flow control acts as a handbrake on all channels -- not good, though it does fix the starving of non-bulk channels by bulk channels. It&#x27;s bound to fail in HTTP&#x2F;2 as well.

Of course this affects DoH servers, too.