Web servers exposed to DoS attacks due to new HTTP/2 flaws

In News

Cybersecurity researchers say the widely used HTTP/2 protocol for web servers contains several vulnerabilities that could lead to Denial of Service (DoS) attacks.

The widely used HTTP/2 protocol for web servers contains a set of eight vulnerabilities that could lead to DoS attacks, researchers say. Unpatched web servers running multiple implementations of the HTTP/2 protocol could be compromised in this way. Around 40% of websites on the Internet which support HTTP/2 communication could be vulnerable to DoS attacks.

DoS attacks can cause servers to become unresponsive and deny visitors access to web pages, thereby crippling crucial web services.

Security researcher Jonathan Looney of Netflix discovered seven of the flaws whereas Piotr Sikora of Google found the eighth flaw. The eight flaws have been tracked as: CVE-2019-9511 (Data Dribble), CVE-2019-9512 (Ping Flood), CVE-2019-9513 (Resource Loop), CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood), CVE-2019-9516 (0-Length Headers Leak), CVE-2019-9517 (Internal Data Buffering) and CVE-2019-9518 (Empty Frames Flood).

Some of these flaws can also be exploited remotely by attackers whereas a few of these could impact multiple servers from a single end-system. And the rest of the flaws could be used for DDoS attacks.

Netflix stated in an advisory that all the attack vectors are similar variants of the same exploit wherein a client requests a response from an unpatched server and then refuses to read it.

An alert from the CERT Coordination Center highlighted many large companies which may be affected by these DoS vulnerabilities.

The list includes the likes of Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu.

Many of the affected companies have already patched their systems. Cloudflare fixed seven of the vulnerabilities impacting its Nginx servers used for HTTP/2 communication.

“There are 6 different potential vulnerabilities here and we are monitoring for all of them. We have detected and mitigated a handful of attacks but nothing widespread yet,” said Cloudflare, BleepingComputer reported.

Microsoft, Apple, Netflix, and other companies have also taken steps to patch their systems.


You may also read!

Middle East stands second in average data breach costs

The Middle East ranks as the world’s second-highest cost of data breaches, at $6 million per breach, just behind


Proofpoint reveals top trends in the healthcare industry

Ryan Witt, Industry Practice Leader, Healthcare at Proofpoint discusses the 2019 Healthcare Threat Report and examines the top trends


Symantec introduces new endpoint security solution

Symantec announced a major revamp to its endpoint portfolio with Symantec Endpoint Security (SES), which now delivers protection, detection


Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu