A memory leak in HTTP/2 implementations enables DoS attacks on Nginx, Apache HTTPD, and Microsoft IIS with just a 100-Mbps connection and standard hardware.
The HTTP/2 Bomb combines metadata amplification with Slowloris tactics to enable massive DoS attacks without threshold limitations, as the protocol specification insufficiently controls memory.