Expand description
Single-packet race-condition primitives (Kettle BH23 “Smashing the State Machine”): HTTP/1.1 pipelined coalesce + HTTP/2 last-byte-sync frame builders. Builds wire bytes only; the transport layer handles the TCP_NODELAY-off + writev coalesce. Single-packet race-condition primitives.
Race conditions in web applications usually require the attacker to fire N parallel requests so close in time that they all reach the application’s logic check before any of them commits. The limit is no longer “how fast can I send” — it’s “how synchronized can my requests be when they hit the server’s TCP layer.”
James Kettle’s Black Hat 2023 “Smashing the State Machine” research introduced the single-packet attack: pack the LAST byte of N HTTP/2 requests (or N parallel HTTP/1.1 pipelined requests) into one IP packet. The kernel delivers all N at once; they cross the application’s race window in nanoseconds rather than milliseconds.
This module builds the WIRE BYTES for the attack. The actual
“send everything in one TCP packet” trick is a transport-layer
concern: the operator must disable Nagle (TCP_NODELAY off — yes
OFF, so Nagle batches the writes), keep the connection open with
HTTP/2, and use MSG_MORE-style writev to coalesce.
Two attack shapes:
- HTTP/2 last-byte-sync. Send N concurrent streams, each stalled with the body almost-but-not-quite complete. Then send ONE final-byte frame per stream in a single packet. Server wakes all N handlers in the same epoch.
- HTTP/1.1 pipelined coalesce. Send N pipelined requests back-to-back on one connection, with Nagle off and large MSS. Less reliable than H2 but works against legacy origins.
Use cases:
- Authorization race: hit “withdraw $100” N times before the balance-check fires once.
- Coupon stacking: apply the same promo code N times.
- MFA bypass: submit OTP guesses faster than the rate-limit window opens.
- TOCTOU file uploads: race between virus-scan and storage.
Constants§
- RECOMMENDED_
SOCKET_ SETTINGS - Recommended socket-level settings for the single-packet attack.
Operators set these on their sender’s TCP socket before issuing
the payload from
pipelined_h1_coalesce/h2_last_byte_sync_frames.
Functions§
- h2_
last_ byte_ sync_ frames - Build the N partial-bodies for the HTTP/2 last-byte-sync attack.
- h2_
prestaged_ frames - Build the N pre-final-byte HTTP/2 frame sequences for step 2 of the last-byte-sync attack.
- pipelined_
h1_ coalesce - Build the byte-for-byte HTTP/1.1 pipelined coalesce payload for N identical requests.