Skip to main content
SpringerLink
Log in

H\(_{2}\)DoS: An Application-Layer DoS Attack Towards HTTP/2 Protocol

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2017)

Abstract

HTTP/2, as the latest version of application layer protocol, is experiencing an exponentially increasing adoption by both servers and browsers. Due to the new features introduced by HTTP/2, many security threats emerge in the deployment of HTTP/2. In this paper, we focus on application-layer DoS attacks in HTTP/2 and present a novel H\(_{2}\)DoS attack that exploits multiplexing and flow-control mechanisms of HTTP/2. We first perform a large-scale measurement to investigate the deployment of HTTP/2. Then, based on measurement results, we test H\(_{2}\)DoS under a general experimental setting, where the server-side HTTP/2 implementation is nginx. Our comprehensive tests demonstrate both the feasibility and severity of H\(_{2}\)DoS attack. We find that H\(_{2}\)DoS attack results in completely denying requests from legitimate clients and has severe impacts on victim servers. Our work underscores the emerging security threats arise in HTTP/2, which has significant reference value to other researchers and the security development of HTTP/2.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 109.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 143.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The QUIC Projects https://www.chromium.org/quic.

References

  1. Mike, B., Roberto, P., Thomson, M: RFC 7540: hypertext transfer protocol version 2 (HTTP/2). Internet Engineering Task Force (IETF), Google Inc. (2015)

    Google Scholar 

  2. SPDY: An experimental protocol for a faster web. https://www.chromium.org/spdy/spdy-whitepaper

  3. Roberto, P., Ruellan, H.: HPACK: Header Compression for HTTP/2. No. RFC 7541, Internet Engineering Task Force (2015)

    Google Scholar 

  4. Thai, D., Juliano, R.: The CRIME attack. In: Ekoparty Security Conference (2012)

    Google Scholar 

  5. Radware Emergency Response Team: Global Application & Network Security Report 2016–2017 (2016). https://www.radware.com/ert-report-2016/

  6. RSnake, Kinsella, J.: Slowloris HTTP DoS. https://web.archive.org/web/20150426090206/http://ha.ckers.org/slowloris

  7. THC-SSL-DOS. http://kalilinuxtutorials.com/thc-ssl-dos/

  8. Varvello, M., Schomp, K., Naylor, D., Blackburn, J., Finamore, A., Papagiannaki, K.: Is the web HTTP/2 yet? In: Karagiannis, T., Dimitropoulos, X. (eds.) PAM 2016. LNCS, vol. 9631, pp. 218–232. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30505-9_17

    Chapter  Google Scholar 

  9. Wang, X.S., Balasubramanian, A., Krishnamurthy, A., Wetherall, D.: How speedy is SPDY? In: 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI), pp. 387–399. Usenix Association (2014)

    Google Scholar 

  10. Meyer, C., Schwenk, J.: SoK: lessons learned from SSL/TLS attacks. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 189–209. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-05149-9_12

    Chapter  Google Scholar 

  11. Alexa Top Sites, September 2016. http://www.alexa.com/topsites

  12. Friedl, S., Popov, A., Langley, A., Stephan, E.: Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension, No. RFC 7301, IETF (2014)

    Google Scholar 

  13. Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2, No. RFC 5246, IETF (2008)

    Google Scholar 

  14. David, G., Totty, B.: HTTP: The Definitive Guide. O’Reilly Media, Sebastopol (2002)

    MATH  Google Scholar 

  15. Rodola, G.: A cross-platform process and system utilities module for Python. https://github.com/giampaolo/psutil

  16. Fitzpatrick, B.: Http2 in GoDoc. https://godoc.org/golang.org/x/net/http2

  17. NGINX Inc: nginx stable version 1.10.0, October 2016. https://nginx.org/en/linux_packages.html#stable

  18. Yi, X., Yu, S.-Z.: Monitoring the application-layer DDoS attacks for popular websites. IEEE/ACM Trans. Netw. (TON) 17(1), 15–25 (2009)

    Article  Google Scholar 

  19. Ranjan, S., Swaminathan, R., Uysal, M., Nucci, A., Knightly, E.: DDoS-shield: DDoS-resilient scheduling to counter application layer attacks. IEEE/ACM Trans. Netw. (TON) 17, 26–39 (2009)

    Article  Google Scholar 

  20. Maci-Fernndez, G., Daz-Verdejo, J.E., Garca-Teodoro, P.: Mathematical model for low-rate DoS attacks against application servers. IEEE Trans. Inf. Forensics Secur. (TIFS) 4, 519–529 (2009)

    Article  Google Scholar 

  21. Durcekova, V., Schwartz, L.: Sophisticated denial of service attacks aimed at application layer. In: IELEKTRO, Nahid Shahmehri (2012)

    Google Scholar 

  22. Zargar, S.T., Joshi, J., Tipper, D.: A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE Commun. Surv. Tutor. 15, 2046–2069 (2013)

    Article  Google Scholar 

  23. Jazi, H.H., Gonzalez, H., Stakhanova, N., Ali, A.: Detecting HTTP-based application layer DoS attacks on Web servers in the presence of sampling. Comput. Netw. 121, 25–36 (2017)

    Article  Google Scholar 

  24. Imperva: HTTP/2: In-depth analysis of the top four flaws of the next generation web protocol (2016). https://www.imperva.com/docs/Imperva_HII_HTTP2.pdf

  25. Adi, E., Baig, Z.A., Hingston, P., Lam, C.-P.: Distributed denial-of-service attacks against HTTP/2 services. Clust. Comput. 19, 79–86 (2016)

    Article  Google Scholar 

  26. Redelmeier, I.: The Security Implications of HTTP/2.0 (2013). http://www.cs.tufts.edu/comp/116/archive/fall2013/iredelmeier.pdf

  27. Larsen, S., Villamil, J.: Attacking HTTP2 implementations. In: 13th PACific SECurity - Applied Security Conferences and Training in Pacific Asia (PacSec) (2015)

    Google Scholar 

  28. Van Goethem, T., Vanhoef, M.: HEIST: HTTP encrypted information can be Stolen through TCP-windows, Blackhat, USA (2016)

    Google Scholar 

  29. (Kate) Pearce, C., Vincent, C.: HTTP/2 & QUIC - teaching good protocols to do bad things, Blackhat, USA (2016)

    Google Scholar 

Download references

Acknowledgments

This work is supported by the National Key Research and Development Program of China under No. 2016YFB0800102 and 2016YFB0800201, the National High Technology Research and Development Program of China under No. 2015AA015602 and 2015AA016103, the Key Research and Development Program of Zhejiang Province under No. 2017C01064 and 2017C01055, the Fundamental Research Funds for the Central Universities, the NSFC under program No. 61772466, the Alibaba-Zhejiang University Joint Research Institute for Frontier Technologies (A.Z.F.T.) under Program No. XT622017000118, and the CCF-Tencent Open Research Fund under No. AGR20160109.

Author information

Authors and Affiliations

  1. Zhejiang University, Hangzhou, China

    Xiang Ling, Chunming Wu & Shouling Ji

  2. Kennesaw State University, Kennesaw, GA, USA

    Meng Han

  3. Alibaba-Zhejiang University Joint Institute of Frontier Technologies, Hangzhou, China

    Shouling Ji

Authors
  1. Xiang Ling
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chunming Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shouling Ji
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Meng Han
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiang Ling .

Editor information

Editors and Affiliations

  1. Wilfrid Laurier University, Waterloo, Ontario, Canada

    Xiaodong Lin

  2. University of New Brunswick, Fredericton, New Brunswick, Canada

    Ali Ghorbani

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. Pennsylvania State University, Philadelphia, Pennsylvania, USA

    Sencun Zhu

  5. Anhui Normal University, Wuhu, China

    Aiqing Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ling, X., Wu, C., Ji, S., Han, M. (2018). H\(_{2}\)DoS: An Application-Layer DoS Attack Towards HTTP/2 Protocol. In: Lin, X., Ghorbani, A., Ren, K., Zhu, S., Zhang, A. (eds) Security and Privacy in Communication Networks. SecureComm 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 238. Springer, Cham. https://doi.org/10.1007/978-3-319-78813-5_28

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-78813-5_28

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-78812-8

  • Online ISBN: 978-3-319-78813-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation