How the Attack Works
A new denial-of-service technique called the HTTP/2 Bomb targets the default configurations of widely used web servers such as nginx, Apache httpd, Microsoft IIS, Envoy, and Cloudflare Pingora. The exploit was discovered by researcher Quang Luong and relies on two known techniques combined in a novel way: an HPACK compression bomb and a Slowloris style connection hold.
HPACK is HTTP/2’s header compression scheme, which maintains a dynamic table of recently seen headers. The attacker seeds this table with one header and then sends thousands of single-byte references to it in a single request. This forces the server to allocate memory for each reference, creating a massive amplification. For example, a few bytes from the attacker can cause Apache or Envoy to allocate around 4,000 bytes per reference.
Impact and Scope
The second component exploits HTTP/2’s per-stream flow control. The client advertises a zero byte flow control window, preventing the server from completing its response. A trickle of small WINDOW_UPDATE frames resets the send timeout, keeping all memory allocations active indefinitely. This turns a brief burst of memory consumption into a persistent drain that can exhaust server resources within seconds.
Testing showed dramatic results. Envoy 1.37.2 exhibited an amplification ratio of roughly 5,700 to 1, exhausting 32 gigabytes of memory in about 10 seconds. Apache httpd 2.4.67 achieved around 4,000 to 1 amplification, consuming the same memory in 18 seconds. Nginx and IIS required longer but still reached exhaustion in under a minute. A Shodan analysis identified more than 880,000 public facing websites running vulnerable configurations. For servers that cap header field counts rather than decoded size, the exploit uses a Cookie header bypass, as the HTTP/2 specification explicitly permits splitting a Cookie header into multiple pieces.
Source: Cyber Security News
