HTTP/2 denial of service attack vulnerability alerts-a vulnerability alert-the black bar safety net

2019 08 on 13 the evening,the Netflix security team Google, the CERT / CC to Internet disclosure of the HTTP/2 Protocol in each of the middleware service implementation process appears in the DDoS(distributed-denial of service attack)vulnerability issues.

0x01 vulnerability details
HTTP/2(in the RFCs 7540 and 7541 defined)on behalf of with HTTP/1.1 the difference and produce significant change. There are several new features, including header compression and from a plurality of stream data of the multiplexing, which makes it for the user groups attractive. In order to support these new functions, HTTP/2 has been developed to contain the Layer 3 transport Protocol of some complexity:
The data now with binary the form of a frame transmission;
Each connection and each stream window can be defined how much data is transmitted; and
There are several similar ICMP control messages(e.g., ping, reset, and set the frame)in the HTTP/2 connection layer runs;
This is a fairly robust stream priority concept.
Although this increased complexity brings some exciting new features, but also bring implementation issues. When implementing on the Internet on the run and exposed to a malicious user, the implementor might want to:
I should limit any control messages?
How to calculate the efficient way to achieve the priority Queuing scheme?
How to calculate the efficient way to achieve flow control algorithm?
How could an attacker in the HTTP/2 layer steering flow control algorithm, which leads to unexpected results? (They can be simultaneously manipulated in the Hypertext Transfer Protocol layer and the application layer flow control algorithm to produce unexpected results?)
RFC 7540 security considerations Section(see Section 10. 5.) in a General way to solve some of these issues. However, with the expected“normal”behavior is different. For the standard of the exact description, is achieved when just meet close to the expected only. For example, for the detection and mitigation of“abnormal”behavior of the algorithms and mechanisms is significantly more blurred, which will be implemented by the responsible practice and practice. From a variety of middleware packages to achieve in retrospect, this one with a wide variety of Achieve, there are a variety of good ideas, but this one is also the disadvantage of the produce, which resulted in the vulnerabilities.
Why Impact
These attacks are mostly in the HTTP/2 transport layer is carried out. As shown below, the layer is located in the TLS transport on top, but at the request of the concept below. In fact, many attacks are related to 0 or 1 request.
! [](/Article/UploadPic/2019-8/2019814191458646. png)
From the early hypertext transport Protocol to start, the middleware service is to request for the guide:log in request as a split(and not connected); the rate limitation occurs at the request level; and the flow control request by the trigger.
In contrast, not many tools according to the client in the HTTP/2 connection layer acts to perform logging, rate limiting and Correction. Therefore, the middleware service may find it more difficult to discover and block malicious HTTP/2 connection, and may need to add additional tools to handle these situations.
These attack vectors allow a remote attacker to consume excessive system resources. Some attacks sufficiently efficient, a single terminal system may be more than one server havoc server downtime/core process to crash/stuck on. Other attacks lower the efficiency of the produce some of the more difficult problems, they will only make the server become slow and may be intermittent, so the attack will be more difficult to detect and prevent it.
Attack status
We found that many of the attack vectors(today has been fixed)are one of the key points of the variant:a malicious client requested the server to do some generated in response to the behavior, but the client refused to read the response. This will test the server in the queue management code. According to the server processing the queue, the client can process the request when forced it consumes extra memory and CPU.
CVE-2019-9511 “Data Dribble”:the attacker through a plurality of streams from the specified resource request large amounts of data. They manipulate the window size and the stream priority, forcing the server of the data by 1 byte blocks to queue. According to these data line up the efficiency, this may consume excessive CPU, memory or both, which may lead to a denial of Service.
CVE-2019-9512 “Ping Flood”:the attacker sends an HTTP/2 peers that send a continuous Ping, causing the peer to establish an internal response queue. According to these data line of efficiency, which might consume too much CPU, memory, or both, which may lead to a denial of Service.
CVE-2019-9513 “Resource Loop”:attacker creates a plurality of request streams, and the priority tree is causing substantial changes in the way constantly disrupted the flow of the priority. This will consume too much CPU, it may lead to a denial of Service.
CVE-2019-9514 “Reset Flood”:the attacker opens multiple streams, and each stream is sent on an invalid request, the request should be from a peer request RST_STREAM frame stream. According to the peer end of the RST stream of frames queued mode, which may consume excessive CPU, memory or both, which may lead to a denial of Service.
CVE-2019-9515 “Settings Flood”:the attacker to the peer sends a series of set frame. Because the RFC requires the peer in each of the settings frame to reply to a confirmation, so the empty set the frame in the row is almost identical to the ping. According to these data line of efficiency, which might consume too much CPU, memory, or both, which may lead to a denial of Service.
CVE-2019-9516 “0-Length Headers Leak”:the attacker sends a 0-length header names and 0-length header value of the header of the stream, alternatively, Huffman encoding is 1-byte or longer header. Some implementations of these head memory is allocated and remains allocated until the session ends. This will consume too much memory, may cause a denial of Service.
CVE-2019-9517 “Internal Data Buffering”:the attacker open the HTTP/2 window, so that the peer can not be restricted to sent; however, they will close the TCP window, so the peer is in fact not on the line write(number)bytes. Then, the attacker sends a series of large-scale response object of the request. According to the server the response to the Queuing mode, which may consume excessive memory and CPU, which may lead to a denial of Service.
CVE-2019-9518 “Empty Frames Flood”:the attacker sends with an empty payload and no flow marks the end of the frame stream. These frames can be DATA, HEADERS, CONTINUATION or PUSH_PROMISE on. On the node on each frame of processing time and bandwidth is not proportional. This will consume too much CPU, it may lead to a denial of Service. (Google Piotr Sikora found)

0x02 repair recommendations
Nginx has been confirmed compromised and have been directed to the vulnerabilities released update
nginx security advisories
Other middleware services there is no clear response and repair
360CERT recommended that the majority of users promptly to update the http service middleware version so as not to affected by this vulnerability.