Bottom line: The HTTP/2 Bomb combines metadata amplification with Slowloris tactics and enables massive DoS attacks without threshold limitations, as the protocol specification insufficiently controls memory.
A new denial-of-service attack pattern targeting HTTP/2 threatens leading web servers such as NGINX, Apache HTTPD, and Microsoft IIS in their default configurations. Security firm Calif documents a vulnerability in which a simple client can block 32 gigabytes of server memory within 20 seconds.
IT security company Calif has documented a new vulnerability in the HTTP/2 network protocol. The vulnerability enables denial-of-service attacks on NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora — the world’s most widely deployed web servers. According to Calif, the vulnerability was discovered with the help of OpenAI Codex by combining two known attack patterns: a compression bomb and a Slowloris-like connection blocking attack. The vulnerable behavior exists in the default HTTP/2 configuration of all affected software packages and thus affects nearly all production installations without hardening measures.