Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

An 0-day in the HTTP/2 specification was discovered that leads to Denial of Service (DoS) attacks. Cloudflare, being a CDN with a major DDoS prevention system, was on the forefront of this. They saw attacks of 201 million requests per second, which were 3x bigger than the largest attack they had seen. So, what's the issue?

HTTP/2 is a major improvement on HTTP/1. It includes all of the data from before but allows for concurrency and multiplexing. The basic location where users send data from in a single connection is called a stream. There is a hard limit on the amount of streams that can be open on a given server at a time within a connection, in order to prevent DoS bugs.

HTTP/2 supports in-flight cancellation for a given stream by sending the RST_STREAM byte sequence. Canceled streams do not get counted in the limit of open streams.

By rapidly abusing the rapid reset of the RST_STREAM, a DoS can be triggered. The opening of a new stream slot and the computational resources to clean up cause a problem. With Cloudclare, they copy the socket into a buffer and process the buffer. Once the cancellation happens, this processing stops but still has eaten up a lot of resources.

The bug reminds me of the SlowHTTP attacks on HTTP/1.1 from years ago. Eat up too many resources to cause a crash on the server. Besides the technical side, it's fascinating to see how Cloudflare mitigates these types of problems. They take security of uptime seriously, which I really appreciate.