HTTP/2 Transport Protocol is now available in BreakingPoint Security Component

Hypertext Transfer Protocol (HTTP) is a Layer-7 (application layer) protocol that is the fundamental component of the modern internet. It has 4 stable versions – HTTP/0.9, HTTP/1.1, HTTP/2 and HTTP/3.

With the rise of complexity and data volume in both web and mobile applications such as streaming multimedia, transferring data in bulk etc., the performance of HTTP/1.1 becomes slower since it supports serial transfer of multiple HTTP Requests/Responses in a single TCP connection. To overcome this issue the next version of HTTP i.e., HTTP/2 comes into the picture with some major improvements like – Multiplexing, Header Compression, Faster Data Transfer, Server Push, Binary Protocol rather than Text, Non-blocking Downloads etc.

When we open an HTTP/2 PCAP in Wireshark it correctly parses the HTTP/2 entries as we can see below -

Figure 1: Wireshark PCAP with HTTP/2 entries

As per the global internet traffic trends, 64.45% of the overall internet traffic uses HTTP/2 in last one year including several types of attacks.

Figure 2: Cloudflare Radar Statistics

HTTP/2 traffic has increased for both legitimate and attack traffic in the last twelve months. ATI have expanded our security evasions for file transfer and malware strikes to support HTTP/2 inside the “Security” component of BreakingPoint System. HTTP/2 support is added for GET, POST with multi-part and POST without Multi-part which can selected in the HTTP evasion profile, and in the Global section as was the case with HTTP/1.

Note: By default, the POST method is using multi-part encoding, but it can be disabled from the global settings inside the evasion profile as shown below -

Figure 3: Global settings under evasion profile

Now let’s see how to use HTTP/2 inside BPS Evasion profile -

File Transfer Evasion Profile

For the file transfer strikes we have added a new “TransportProtocol” option named “HTTP/2” under the FILETRANSFER section of the Evasion Profile as shown below –

Figure 4: FILETRANSFER settings under evasion profile

As a reference and for ease of use we have created a sample canned evasion profile named “Security Evasion Profile – FILETRANSFER HTTP/2”. If we run a sample File Transfer Strike using that canned evasion profile, the pcap will look like below –

Figure 5: Sample FILETRANSFER strike pcap over HTTP/2

Malware Evasion Profile

For the malware strikes we have also added a new “TransportProtocol” option named “HTTP/2” under the MALWARE section of the Evasion Profile as shown below –

Figure 6: MALWARE settings under evasion profile

As a reference, here also we have created a sample canned evasion profile named “MALWARE: HTTP/2”. If we run a sample Malware Strike using that canned evasion profile, the PCAP will look like below –

Figure 7: Sample MALWARE strike pcap over HTTP/2

Which Strikes support this?

Until now we have released t housands of File Transfer Strikes, 1,000+ Monthly Malware Strikes and 10,000+ Daily Malware Strikes which all support HTTP/2 when run using the security component.

Leverage Subscription Service to Stay Ahead of Attacks

Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing them to test their currently deployed security control's ability to detect or block such attacks.

limit
3