HTTP/2 CONTINUATION Flood is mitigatted by Cloudflare?

The new HTTP/2 CONTINUATION Flood is mitigatted by Cloudflare ?

4 Likes

I too am looking for some kind of clarification/statement

Hello,

As HTTP/2 CONTINUATION Flood - nowotarski.info says, “NOT affected: Nginx, Jetty, HAProxy, NetScaler, Varnish”.

As Cloudflare uses Nginx, I guess it is not affected at all, then no mitigation is required.

As far I know, Cloudflare ditched NGINX a year and a half ago and now uses a built in-house Rust proxy named Pingora.

It would be good to have a clear statement on this.

1 Like

I missed this very useful information. Then, yes, we have to wait for a clear statement about that.

Hi all,

Cloudflare has been aware of this vulnerability dating back to the pre-disclosure process in January 2024. Cloudflare’s network, its HTTP/2 implementation and Application Services customers are not affected by this vulnerability.

Cloudflare is not currently aware of any threat actors exploiting this vulnerability in the wild.

The vulnerability:

The HTTP/2 Continuation Flood vulnerability is a new DDoS attack method that targets HTTP/2 protocol implementations that are improperly handling HEADERS and multiple CONTINUATION frames. Multiple CVEs have been assigned to the various implementations of HTTP/2 that are impacted by this vulnerability.

The threat actor sends a sequence of CONTINUATION frames without the END_HEADERS flag, leading to server issues such as out-of-memory crashes or CPU exhaustion.

This vulnerability poses a potentially severe threat more damaging than the previously known Rapid Reset, by allowing even a single machine to disrupt websites and APIs using HTTP/2, with the added challenge of difficult detection due to no visible requests in HTTP access logs.

HTTP Internet properties that are using Cloudflare’s CDN/WAF service (HTTP reverse-proxy) are protected against this vulnerability. No action is required aside from following the general best practices.

Organizations that operate HTTP/2 based services that are not protected by Cloudflare, should ensure to update the software/libraries their services use according to the specific guidelines and patches that are being rolled out.

Thank you.

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.