Akamai Diversity

Akamai Security Intelligence
& Threat Research

HTTP2 Vulnerabilities

On Tuesday, August 13th at 10 AM Pacific Time (1700UTC), Netflix publicly disclosed a series of vulnerabilities found by Jonathan Looney that impact many implementations of the HTTP2 protocol. A vulnerability found by Piotr Sikora of Google was also released at the same time. Akamai is grateful to the reporters for their work and pre-release coordination.

About the Vulnerabilities

All of the HTTP2 vulnerabilities referenced above are resource exhaustion vulnerabilities, which would impact the availability of the attacked systems and services, thus not compromising the confidentiality or integrity of the data contained within. Vectors like these have been seen in the past when exploited on other protocols, like HTTP2's predecessor HTTP with the Slowloris and Zero Window connection stressing.

Rather than us going into detail on each of the vulnerabilities, please see the write up provided by Netflix.





Data Dribble


Jonathan Looney, Netflix

Ping Flood


Jonathan Looney, Netflix

Resource Loop


Jonathan Looney, Netflix

Reset Flood


Jonathan Looney, Netflix

Settings Flood


Jonathan Looney, Netflix

0-Length Headers Leak (Nginx variant)


Jonathan Looney, Netflix

Internal Data Buffering


Jonathan Looney, Netflix

Empty Frames Flood


Piotr Sikora, Google



Akamai Impact

Some Akamai services were impacted by this vulnerability, but all customer services have been patched. Akamai recommends that all Internet connected HTTP2 services be patched for these vulnerabilities as soon as possible. CDN customers that use Akamai and have up-to-date SiteShield lists should be protected from these vulnerabilities while their origin infrastructure is patched.


Leave a comment