【Hacker News搬运】HTTP/2 Continuation Flood:技术细节

hackernews

Title: HTTP/2 Continuation Flood: Technical Details

HTTP/2 Continuation Flood:技术细节

Text:

hn link

Url: https://nowotarski.info/http2-continuation-flood-technical-details/

这篇文章提供了对 CONTINUATION Flood 的深入技术分析，这是许多 HTTP/2 协议实现中的一类漏洞。这种漏洞比 Rapid Reset 威胁更为严重，因为单台机器就可以破坏服务器可用性，导致服务器崩溃或显著性能下降。值得注意的是，构成攻击的请求在 HTTP 访问日志中是不可见的。HTTP/1.1 和 HTTP/2 的主要区别在于，后者是一个二进制协议，交换帧而不是文本行。漏洞出现在客户端开始一个新的 HTTP/2 流并发送 HEADERS 和 CONTINUATION 帧，但从未设置 END_HEADERS 标志时，创建了一个无限的头部帧流，服务器必须解析并在内存中存储。这可能导致各种结果，包括 CPU 耗尽、内存溢出崩溃，或者在发送几帧后崩溃。这个漏洞是严重的，如果野外利用，可能对网络安全构成风险。CERT/CC 开设了一个漏洞协调案件来跟踪这个问题，并发布了一个漏洞笔记。

Post by: campuscodi

Comments:

mcmatterson: I'd just mitigated this exact thing in Bandit last month!<p><a href="https://github.com/mtrudel/bandit/blob/main/lib/bandit/http2/connection.ex#L84">https://github.com/mtrudel/bandit/blob/main/lib/bandit/http2...</a><p>TBH, from an implementors perspective this is a super obvious thing to cover off. It had long been on my radar and was something that I'd always figured other implementations had defended against as well.

mcmatterson: I-；我上个月刚刚在《强盗》中减轻了这件事<p> <a href=“https://；&#x2F；github.com&#x2F！mtrudel&#x2F，bandit&#x2F：blob&#x2F。main&#x2F&#x2F；github.com&#x2F；mtrudel；土匪&#x2F；blob；main；lib；土匪&#x2F；http2…</a><p>TBH，从实现者的角度来看，这是一件非常明显的事情；我一直认为其他实现也有防御能力。

userbinator: <i>In the last couple of months I checked dozens of implementations and, somehow, these protections were not implemented (or implemented incorrectly) even in major HTTP/2 servers</i><p>I'll speak to the elephant in the room: this is what happens when you have an entire developer culture so used to automatically dynamically expanding everything and not caring how big it is, that they never think about how big something can be.<p>This class of problems isn't necessarily restricted to HTTP/2, although its gross complexity probably contributes; it's just that in HTTP/1.x times, more developers would be used to languages like C where managing buffer lengths takes constant attention, and no one would bother to make header allocations expand limitlessly when they should be a few K in total at most for the whole request.

userbinator: <i> 在过去的几个月里，我检查了几十种实现，不知何故，即使在主要的HTTP/F中，这些保护也没有实现（或实现不正确）；2个服务器</i><p>i-；我要对房间里的大象说：当你的整个开发人员文化习惯于自动动态扩展一切，而不在乎它有多大，以至于他们从来没有想过东西有多大时，就会发生这种情况；不一定局限于HTTP；2，尽管其总体复杂性可能有所贡献；它；这只是HTTP&#x2022中的情况；1.x倍，更多的开发人员将习惯于像C这样的语言，在这些语言中，管理缓冲区长度需要持续的关注，并且当整个请求的头分配总共应该最多只有几个K时，没有人会费心让头分配无限扩展。

nullindividual: Previous article with impacted web servers/reverse proxies from the same author.<p><a href="https://nowotarski.info/http2-continuation-flood/" rel="nofollow">https://nowotarski.info/http2-continuation-flood/</a>

nullindividual: 上一篇关于受影响的web服务器的文章；反向代理来自同一作者<p> <a href=“https://；&#x2F；nowotarski.info#xx2F；http2 continuation flood&#x2F”rel=“nofollow”>https://&#x2F；nowotarski.info；http2连续洪水</一

jagger27: > NOT affected: Nginx, Jetty, HAProxy, NetScaler, Varnish. [0]<p>0: <a href="https://nowotarski.info/http2-continuation-flood/" rel="nofollow">https://nowotarski.info/http2-continuation-flood/</a>

jagger27: &gt；未受影响：Nginx、Jetty、HAProxy、NetScaler、Varnish。[0]<p>0:<a href=“https://；&#x2F；nowotarski.info#xx2F；http2 continuation flood&#x2F”rel=“nofollow”>https://&#x2F；nowotarski.info；http2连续洪水</一

unethical_ban: This has been at the top all day.<p>I wonder: For low-traffic websites, is it possible that running HTTP/1.1 is just safer?

unethical_ban: 这一整天都处于领先地位<p> 我想知道：对于低流量的网站，是否有可能运行HTTP&#x2022；1.1是否更安全？