Slow rate denial of service attacks against HTTP/2 and detection

HTTP/2 is a newly standardized protocol designed to efficiently utilize the TCP's transmission rate and has other advantages compared to HTTP/1.1. However its threat vectors are not completely understood yet. Our contribution in this paper is threefold. First we describe few new threat vectors of HTTP/2 which are Slow Rate DoS attacks and can be launched by injecting specially crafted HTTP requests. We perform an empirical evaluation of these attacks against popular web servers and report that majority of web servers are vulnerable to these attacks. We also test the effectiveness of proposed attacks using both clear text and encrypted HTTP/2 requests and find that the attack is effective independent of the request type. Second we compare structurally similar attacks with HTTP/1.1 and report that HTTP/2 has more threat vectors compared to its predecessor. Third we propose an anomaly detection scheme which uses chi-square (χ2) test between traffic profiles generated in normal and attack scenarios to detect these attacks.