HTTP/2 Denial of Service Update

Posted by James Cline

Verizon Media makes every effort to ensure that your web services remain 100% available. As such, we wanted to inform you that the recent vulnerabilities associated with HTTP/2 on our network have been patched.

Netflix, Google, and CERT/CC coordinated informing the Internet community to expedite patching before the public announcement for CVE-2019-9511 through CVE-2019-9518.

While most of our systems were not vulnerable to these Denial of Service attacks, those that were vulnerable have been patched. We greatly appreciate the pre-announcement notification, which helps us protect our customers and ensure a reliable Internet for everyone.


HTTP/2 is an update to the HTTP specification which is fundamentally different in terms of the underlying technology. While HTTP used a simple, predominantly text-based system on top of TCP, HTTP/2 further adds its own connection multiplexing, window framing, and binary format.

The general idea behind these vulnerabilities is to misuse a feature of HTTP/2. Among these vulnerabilities, a common theme is flooding a particular HTTP/2 message (e.g. the PING frame). The exploits arise based on the handling of these messages in the application. For example, if the application logs every PING frame, the system would be susceptible to high CPU usage and system storage being depleted.


The majority of our services were not vulnerable to these issues. The services that were vulnerable were only vulnerable to one of the exploits, and have since been patched. No action is required by customers to mitigate these attacks for content that is served via the EdgeCast CDN.