HTTP/2 CONTINUATION Flood is mitigatted by Cloudflare?

Hi all,

Cloudflare has been aware of this vulnerability dating back to the pre-disclosure process in January 2024. Cloudflare’s network, its HTTP/2 implementation and Application Services customers are not affected by this vulnerability.

Cloudflare is not currently aware of any threat actors exploiting this vulnerability in the wild.

The vulnerability:

The HTTP/2 Continuation Flood vulnerability is a new DDoS attack method that targets HTTP/2 protocol implementations that are improperly handling HEADERS and multiple CONTINUATION frames. Multiple CVEs have been assigned to the various implementations of HTTP/2 that are impacted by this vulnerability.

The threat actor sends a sequence of CONTINUATION frames without the END_HEADERS flag, leading to server issues such as out-of-memory crashes or CPU exhaustion.

This vulnerability poses a potentially severe threat more damaging than the previously known Rapid Reset, by allowing even a single machine to disrupt websites and APIs using HTTP/2, with the added challenge of difficult detection due to no visible requests in HTTP access logs.

HTTP Internet properties that are using Cloudflare’s CDN/WAF service (HTTP reverse-proxy) are protected against this vulnerability. No action is required aside from following the general best practices.

Organizations that operate HTTP/2 based services that are not protected by Cloudflare, should ensure to update the software/libraries their services use according to the specific guidelines and patches that are being rolled out.

Thank you.