HTTP/2 is vulnerable to DoS attacks. Here’s how to fix them.
Everyone loves fast, secure websites. Google’s SPDY and it’s successor HTTP/2 was seen as a big step towards that goal.
As of Aug 6th 2016, 9.1% of websites use HTTP/2, and the trend is seeing a steep rise. All looked good.
On Aug 3rd, this smooth ride suffered a bit of a setback. At the annual Black Hat conference, 4 huge HTTP/2 vulnerabilities were disclosed, that made DoS attacks possible against HTTP/2 servers.
However, all is not lost. These vulnerabilities can be mitigated. Here’s a list of HTTP/2 vulnerabilities and how it can be fixed:
1. Slow Read Vulnerability (CVE-2016-1546)
Attackers can exploit this vulnerability to occupy all available connections, and deny access to legitimate visitors. This is a variant of “Slow Loris” attacks once prevalent on the internet.
All top web servers like Apache, IIS and Nginx were found to be vulnerable. Here’s how to fix them:
Apache implements HTTP/2 using a module called mod_http2. This module is vulnerable in Apache version 2.4.17 and 2.4.18. So, if you have any of these versions, upgrade to a later version, such as 2.4.20.
If you are unable to upgrade, you can mitigate it using mod_reqtimeout. In 2.4.17 and 2.4.18, this module is included by default. Set the following directives in your httpd.conf:
<IfModule mod_reqtimeout.c> RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500 </IfModule>
HTTP/2 is implemented only in IIS 10, which is shipped with Windows Server 2016 and Windows 10. So, unless you are using the early Server 2016 Technical Preview or Windows 10 for production websites, you are safe.
Nginx v1.9.9 was found to be vulnerable to Slow Read on “GET” requests. A patch was released for this on v1.9.12. So, if you are using an older version of Nginx, perform an update ASAP.
In case you are unable to upgrade right away, you can minimize the impact of an attack by limiting the rate of requests and total number of connections from a single IP. For eg:
limit_conn perip 10; limit_req zone=perip burst=5 nodelay;
2. HPACK Bomb Vulnerability (CVE-2016-1544)
This vulnerability can be exploited by sending in a connection header, and opening a lot of data streams under the same initial header. Such an attack quickly consumes the whole server memory, and results in a server crash.
This vulnerability was detected in Nghttpd (aka Nghttp2), an “experimental” HTTP/2 server.
A fix for this vulnerability was released on Feb 11. If you are running Nghttpd v1.7.0 or older, you can fix this vulnerability by upgrading to v1.7.1 or later.
Bobcares provides Outsourced Hosting Support for online businesses. Our services include Outsourced Web Hosting Support, Outsourced Server Support, Outsourced Help Desk Support, Outsource Live Chat Support and Phone Support Services.