A newly discovered denial-of-service (DoS) attack has been found to be capable of crashing web servers in under a minute. Dubbed the ‘HTTP/2 Bomb,’ this technique combines two previously known methods to exploit default HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
**How the Attack Works**
The attack works by inserting a header into the HPACK dynamic table and referencing it repeatedly via a compact indexed representation. This can result in thousands of bytes of server-side memory allocation, with Envoy and Apache httpd demonstrating the worst ratios at 5,700:1 and 4,000:1, respectively.
The second part of the attack involves preventing the memory from being freed once the request completes. This is achieved by advertising a zero-byte flow-control window, causing the server to periodically send tiny WINDOW_UPDATE frames to avoid timeouts. As a result, the requests are never fully completed, and the allocated memory keeps growing without being freed.
**Researchers’ Findings**
The HTTP/2 Bomb attack was discovered using OpenAI’s Codex software agent under the guidance of researchers at Calif. They tested the new DoS attack technique against four major web servers, achieving the following results:
* Envoy 1.37.2 exhausted 32 GB RAM in about 10 seconds
* Apache httpd 2.4.67 exhausted 32 GB RAM in ~18 seconds
* nginx 1.29.7 exhausted 32 GB RAM in ~45 seconds
* IIS (Windows Server 2025) exhausted 64 GB RAM in ~45 seconds
**Mitigation and Patches**
While neither part of the attack was particularly novel, combining the two techniques has a significant impact. The researchers note that although the specifications for the HPACK algorithm focus on memory amplification risks, they do not address what happens when an attacker holds allocated memory indefinitely via HTTP/2 flow control.
Not all web servers are vulnerable to the ‘HTTP/2 Bomb’ attack, as patches have already been released for some platforms. In addition, certain custom server configurations may provide indirect protection against the attack. For example, systems running behind CDNs or reverse proxies do not expose the vulnerable HTTP/2 endpoint and are more difficult to target.
To mitigate this vulnerability, it is recommended to disable HTTP/2 where feasible, and place a proxy/firewall in front that enforces hard header-count limits. Patches have been released for NGINX and Apache httpd, but no patch is available for IIS, Envoy, or Pingora at the time of writing.
**Full Disclosure**
The full technical details for the HTTP/2 Bomb DoS attack will be disclosed at the Real World AI Security conference later this month in a presentation from researcher Quang Luong. However, proof-of-concept (PoC) exploits have already been published for the new attack method.
Source: Original article