- New DoS technique dubbed HTTP/2 Bomb
- Exploits compression and flow‑control stalling
- Major web servers confirmed vulnerable
We can thank AI for a new denial-of-service (DoS) technique that can knock a server offline in mere seconds, using nothing but a single computer with a 100 Mbps connection.
Earlier this week, cybersecurity researchers Calif disclosed discovering a new DoS technique called HTTP/2 Bomb. They used OpenAI’s Codex software agent to discover it, saying it combines two previously known HTTP/2 DoS methods: the HPACK compression amplification, and Slowloris-style resource retention via HTTP/2 flow-control stalling.
Simply put, the attack tricks a web server into reserving large amounts of memory while sending very little data. The attacker exploits a feature in HTTP/2 that allows small requests to expand into much larger amounts of data inside the server, forcing it to allocate memory.
Proof of Concept released
Normally, that memory would be released after processing the request. However, the attacker then uses a separate HTTP/2 feature to keep the connection open indefinitely. As more malicious requests arrive, memory usage grows fast, until the server slows down and ultimately crashes.
Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
According to CyberInsider, the affected products "power a significant portion of the web", suggesting that the risk is quite extensive. Some have already issued a patch, while others remain vulnerable. Keep track of your servers’ configurations for incoming updates.
“A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds,” the researchers said
Current defenses are powerless against HTTP/2 Bomb, it was further explained. Limits on the total decoder header size, for example, doesn’t work since header values used in the attack are miniscule.
Technical details will be released later this month, it was said, but Calif already released a proof-of-concept (PoC).
Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. Some have already issued a patch, while others remain vulnerable. Keep track of your servers’ configurations for incoming updates.
“A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds,” the researchers said
Current defenses are powerless against HTTP/2 Bomb, it was further explained. Limits on the total decoder header size, for example, doesn’t work since header values used in the attack are miniscule.
Technical details will be released later this month, it was said, but Calif already released a proof-of-concept (PoC).
Via BleepingComputer
