SPA New Method

Improved Single Packet Attack Method (BH-2024)

In this method you have to send a PING frame, before sending the requests:

1. Setup Connection
2. Send a PING frame <-- Important
3. For Requests without Body:
   1. send headers
   2. withhold an empty data frame
4. For Requests with Body:
   1. Send headers, and body except the final byte
   2. withhold a data frame containing the final byte
5. wait for 100ms
6. send a ping frame
7. send the final frames
8. Use start_thread_response_parsing method below to get responses times in nano seconds.

h2_conn.setup_connection()
h2_conn.send_ping_frame()  <--- Important Line  

h2_conn.send_frames(temp_headers_bytes)
sleep(0.1)
h2_conn.send_ping_frame()
h2_conn.send_frames(temp_data_bytes)  # last frames with last bytes

Parse Response (Threaded) + Response Times for Timing Attacks

Use start_thread_response_parsing() method after setting up the connection or after sending your requests:

...IMPORTS...

h2_conn = H2OnTlsConnection(
    hostname='http2.github.io',
    port_number=443
)

h2_conn.setup_connection()

# ...Send Requests with Single Packet Attack Technique...

h2_conn.start_thread_response_parsing(_timeout=3)
while not h2_conn.is_threaded_response_finished:
    sleep(1)

if h2_conn.is_threaded_response_finished is None:
    print('Error has occurred!')
    exit()

frame_parser = h2_conn.threaded_frame_parser

h2_conn.close_connection()

for x in frame_parser.headers_and_data_frames.keys():
    d = frame_parser.headers_and_data_frames[x]
    print(f'Stream ID: {x}, response nano seconds: {d["nano_seconds"]}')

Full Code

See improved-spa-method.py for improved version of SPA and timing attack

Reference of Improved Method:

• Listen to the whispers: web timing attacks that actually work