Skip to main content

Module race

Module race 

Source
Expand description

Single-packet race-condition primitives (Kettle BH23 “Smashing the State Machine”): HTTP/1.1 pipelined coalesce + HTTP/2 last-byte-sync frame builders. Builds wire bytes only; the transport layer handles the TCP_NODELAY-off + writev coalesce. Single-packet race-condition primitives.

Race conditions in web applications usually require the attacker to fire N parallel requests so close in time that they all reach the application’s logic check before any of them commits. The limit is no longer “how fast can I send” — it’s “how synchronized can my requests be when they hit the server’s TCP layer.”

James Kettle’s Black Hat 2023 “Smashing the State Machine” research introduced the single-packet attack: pack the LAST byte of N HTTP/2 requests (or N parallel HTTP/1.1 pipelined requests) into one IP packet. The kernel delivers all N at once; they cross the application’s race window in nanoseconds rather than milliseconds.

This module builds the WIRE BYTES for the attack. The actual “send everything in one TCP packet” trick is a transport-layer concern: the operator must disable Nagle (TCP_NODELAY off — yes OFF, so Nagle batches the writes), keep the connection open with HTTP/2, and use MSG_MORE-style writev to coalesce.

Two attack shapes:

  • HTTP/2 last-byte-sync. Send N concurrent streams, each stalled with the body almost-but-not-quite complete. Then send ONE final-byte frame per stream in a single packet. Server wakes all N handlers in the same epoch.
  • HTTP/1.1 pipelined coalesce. Send N pipelined requests back-to-back on one connection, with Nagle off and large MSS. Less reliable than H2 but works against legacy origins.

Use cases:

  • Authorization race: hit “withdraw $100” N times before the balance-check fires once.
  • Coupon stacking: apply the same promo code N times.
  • MFA bypass: submit OTP guesses faster than the rate-limit window opens.
  • TOCTOU file uploads: race between virus-scan and storage.

Constants§

RECOMMENDED_SOCKET_SETTINGS
Recommended socket-level settings for the single-packet attack. Operators set these on their sender’s TCP socket before issuing the payload from pipelined_h1_coalesce / h2_last_byte_sync_frames.

Functions§

h2_last_byte_sync_frames
Build the N partial-bodies for the HTTP/2 last-byte-sync attack.
h2_prestaged_frames
Build the N pre-final-byte HTTP/2 frame sequences for step 2 of the last-byte-sync attack.
pipelined_h1_coalesce
Build the byte-for-byte HTTP/1.1 pipelined coalesce payload for N identical requests.