New HTTP/2 Bomb attack can take down web servers in seconds

Per Bleeping Computer, a novel denial-of-service (DoS) attack dubbed HTTP/2 Bomb has been discovered by Calif researchers, capable of overwhelming web servers from a single machine within seconds. Calif researchers discovered this method using OpenAI's Codex agent.

The HTTP/2 Bomb attack exploits default configurations of major web servers including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. It combines HPACK compression amplification with Slowloris-style resource retention by stalling HTTP/2 flow control. This allows a single client on a 100 Mbps connection to consume tens of gigabytes of server RAM rapidly. Researchers demonstrated that Envoy and Apache httpd could exhaust 32 GB of RAM in approximately 10 to 18 seconds, respectively.

While patches are available for NGINX and Apache httpd, IIS, Envoy, and Pingora are still vulnerable. Mitigation strategies include disabling HTTP/2 or implementing proxies with strict header-count limits. The attack bypasses some existing defenses by leveraging tiny header values and indefinite memory allocation via flow control stalling.

Source: Bleeping Computer