New HTTP/2 Bomb DoS Attack Crashes Major Web Servers in Seconds
What Happened – Researchers disclosed a novel denial‑of‑service technique, dubbed HTTP/2 Bomb, that can exhaust a server’s RAM and render it unavailable in under a minute from a single 100 Mbps client. The attack leverages HPACK header‑compression amplification and a flow‑control stall to lock memory.
Why It Matters for TPRM –
- Critical web‑hosting and SaaS providers can experience abrupt service outages, breaching SLAs.
- The vulnerability exists in default configurations of widely‑deployed servers (NGINX, Apache, IIS, Envoy, Cloudflare Pingora).
- Mitigations require patching or configuration changes that may impact performance or cost.
Who Is Affected – Technology / SaaS vendors, cloud‑hosting platforms, any organization that runs public‑facing HTTP/2 services.
Recommended Actions –
- Verify that your web‑server stack is patched to the latest releases that address the HPACK‑amplification issue.
- Apply recommended configuration hardening (limit header table size, enforce flow‑control windows).
- Conduct DoS testing against your environment and update incident‑response playbooks.
Technical Notes – The attack combines two known HTTP/2 DoS methods: HPACK compression amplification (1 byte → thousands of bytes memory) and Slowloris‑style flow‑control stalling via zero‑byte WINDOW_UPDATE frames. Tested servers showed 32 GB RAM exhaustion in 10‑45 seconds. PoC code is already public. Source: BleepingComputer