HTTP/2 Denial of Service Advisory

Netflix found a series of DoS on H2 implementations.
Honestly, none are very surprising or particularly tricky, when you have studied the protocol.

I am just sad they had to report them, because that means that many people did not think much about this kind of issue while developping their H2 stack.

It also means that the H2 protocol is really too complex for its own sake. But I already said that back in 2016 *grumble*

@marataziat Which adds a whole new layer of craziness to the stack :)
IP/UDP/QUIC/H2/H1/App instead of IP/TCP/TLS/H2/H1/App

@x_cli Yeah! Every new technology gets bugs in few years :) WPA3 is the example!

@marataziat The complexity of H2 and H3 will hopefully provide for the many years to come ;) We won't go unemployed x)

@x_cli why haven't you reported those back then if you knew they would happen?

@dpwiz I was tasked by my employer to study the protocol and give an opinion.
I had found several of the vulnerabilities that Imperva published. But they published faster than me. So my job was done: I could no longer get PR for my findings and my opinion was formed.

It was obvious there was more from that barrel, but my job was not to dig them up but merely to advice my employer regarding that new protocol. Once I was done, I was tasked with another protocol to study :)

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.