Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22–25, 2017, Proceedings

Research Article

HDoS: An Application-Layer DoS Attack Towards HTTP/2 Protocol

Download
300 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-78813-5_28,
        author={Xiang Ling and Chunming Wu and Shouling Ji and Meng Han},
        title={HDoS: An Application-Layer DoS Attack Towards HTTP/2 Protocol},
        proceedings={Security and Privacy in Communication Networks. 13th International Conference, SecureComm 2017, Niagara Falls, ON, Canada, October 22--25, 2017, Proceedings},
        proceedings_a={SECURECOMM},
        year={2018},
        month={4},
        keywords={Web security DoS attack HTTP/2 protocol},
        doi={10.1007/978-3-319-78813-5_28}
    }
    
  • Xiang Ling
    Chunming Wu
    Shouling Ji
    Meng Han
    Year: 2018
    HDoS: An Application-Layer DoS Attack Towards HTTP/2 Protocol
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-78813-5_28
Xiang Ling1,*, Chunming Wu1,*, Shouling Ji,*, Meng Han2,*
  • 1: Zhejiang University
  • 2: Kennesaw State University
*Contact email: lingxiang@zju.edu.cn, wuchunming@zju.edu.cn, sji@zju.edu.cn, menghan@kennesaw.edu

Abstract

HTTP/2, as the latest version of application layer protocol, is experiencing an exponentially increasing adoption by both servers and browsers. Due to the new features introduced by HTTP/2, many security threats emerge in the deployment of HTTP/2. In this paper, we focus on application-layer DoS attacks in HTTP/2 and present a novel HDoS attack that exploits multiplexing and flow-control mechanisms of HTTP/2. We first perform a large-scale measurement to investigate the deployment of HTTP/2. Then, based on measurement results, we test HDoS under a general experimental setting, where the server-side HTTP/2 implementation is . Our comprehensive tests demonstrate both the feasibility and severity of HDoS attack. We find that HDoS attack results in completely denying requests from legitimate clients and has severe impacts on victim servers. Our work underscores the emerging security threats arise in HTTP/2, which has significant reference value to other researchers and the security development of HTTP/2.