On the recent HTTP/2 DoS attacks

Today, multiple Denial of Service (DoS) vulnerabilities were disclosed for a number of HTTP/2 server implementations. Cloudflare uses NGINX for HTTP/2. Customers using Cloudflare are already protected against these attacks.

The individual vulnerabilities, originally discovered by Netflix and are included in this announcement are:

• CVE-2019-9511 HTTP/2 Data Dribble
• CVE-2019-9512 HTTP/2 Ping Flood
• CVE-2019-9513 HTTP/2 Resource Loop
• CVE-2019-9514 HTTP/2 Reset Flood
• CVE-2019-9515 HTTP/2 Settings Flood
• CVE-2019-9516 HTTP/2 0-Length Headers Leak
• CVE-2019-9518 HTTP/2 Request Data/Header Flood

As soon as we became aware of these vulnerabilities, Cloudflare’s Protocols team started working on fixing them. We first pushed a patch to detect any attack attempts and to see if any normal traffic would be affected by our mitigations. This was followed up with work to mitigate these vulnerabilities; we pushed the changes out few weeks ago and continue to monitor similar attacks on our stack.

If any of our customers host web services over HTTP/2 on an alternative, publicly accessible path that is not behind Cloudflare, we recommend you apply the latest security updates to your origin servers in order to protect yourselves from these HTTP/2 vulnerabilities.

We will soon follow up with more details on these vulnerabilities and how we mitigated them.

Full Continue reading