Skip to content

HTTP/2-Bomb Attack: DoS Attack Crashes Web Servers in Seconds

At a glance: A new HTTP/2-based DoS attack can take down individual web servers in seconds and requires immediate measures to harden the protocol.

A new Denial-of-Service attack called HTTP/2 Bomb can bring down web servers within seconds from a single machine. The attack exploits vulnerabilities in the HTTP/2 protocol and represents a practical threat to the availability of critical web infrastructure.

The HTTP/2 Bomb attack is a newly documented Denial-of-Service method that requires only a single attacker machine to crash target servers. The attack leverages properties of the HTTP/2 protocol that enable it to generate significant load on the target server with minimal resource expenditure. The attack can completely disable servers in under a minute.

For security professionals, this vulnerability is relevant because many organizations now use HTTP/2 by default without adequate protective measures against such protocol-based attacks in place. A single attacker can cause considerable damage to the availability of web applications and services—without needing to mobilize botnets or complex infrastructure.

CISOs should review their HTTP/2 implementations, configure rate limiting and connection limits, and establish monitoring for unusual request patterns. Additionally, coordination with infrastructure and load balancer teams is recommended to implement protective measures at the network level.


Source: www.bleepingcomputer.com · Published June 3, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.

Share on: