699eee792235758e12e070c1
New HTTP/2 Bomb DoS Attack Crashes Web Servers in Under a Minute
A new DoS technique dubbed HTTP/2 Bomb can crash major web servers in seconds from a single machine by combining HPACK header compression amplification with HTTP/2 flow-control stalling (Slowloris-style). Discovered with OpenAI's Codex under Calif researchers, it can exhaust tens of gigabytes of RAM within seconds on a 100 Mbps link; in tests, Envoy hit 32 GB in ~10 seconds, Apache httpd ~18 seconds, Nginx ~45 seconds, and IIS ~45 seconds (64 GB RAM). Patches exist for nginx (1.29.8, max_headers) and Apache httpd (mod_http2 2.0.41, CVE-2026-49975); patches for IIS, Envoy, and Pingora are not yet available. Mitigations include disabling HTTP/2 where feasible or placing a proxy/firewall that enforces hard header-count limits. PoC exploits are public, and full technical details will be disclosed at the Real World AI Security conference.
NEW 'HTTP/2 BOMB' DOS ATTACK CRASHES WEB SERVERS IN UNDER A MINUTE
OverviewA newly identified denial-of-service technique leverages HTTP/2 features to incapacitate web servers from a single machine in a matter of seconds. The attack targets default HTTP/2 configurations on major servers, exploiting combinations of header compression and connection flow-control to exhaust memory and stall request completion.
How the attack operatesThe method combines two previously known HTTP/2 denial strategies into a single, coordinated flow:
HPACK-based memory amplification
The attack injects a tiny header into the HPACK dynamic table and then references that header repeatedly with a compact, often one-byte, index.
This causes thousands of bytes of server-side memory to be allocated per attacker-visible header, rapidly inflating memory usage.
Reported amplification ratios include thousands-of-bytes-per-header, with Envoy and Apache httpd showing some of the strongest effects (examples observed: tens-to-thousands of such allocations per header).
HTTP/2 flow-control exploitation
After the initial allocation, the attacker prevents memory from being released by signaling a zero-byte flow-control window.
Instead of sending a normal response, the server periodically sends tiny WINDOW_UPDATE frames to avoid timeouts, but the effective response never completes.
As a result, memory remains held and the server’s available RAM keeps shrinking.
Combined impact
- A single client on a typical consumer-grade connection can drive the target server into consuming large portions of RAM within seconds, effectively rendering the service inaccessible.
- Specific measurements reported in testing include:
- Envoy exhausting about 32 GB of RAM in roughly 10 seconds.
- Apache httpd exhausting about 32 GB of RAM in around 18 seconds.
- nginx exhausting about 32 GB of RAM in approximately 45 seconds.
- IIS on Windows Server 2025 exhausting about 64 GB of RAM in around 45 seconds.
Attack surface and reasoning
- The attack leverages the HTTP/2 header compression mechanism (HPACK) and the per-connection memory accounting used by servers.
- It bypasses some existing defensive limits that focus on maximum header sizes, because the header values involved are tiny; the blowback comes from internal header bookkeeping and memory allocations.
- The combination of memory amplification and stalled release creates a potent denial scenario that can overwhelm servers even when individual components might appear reasonably protected against single-method DoS.
Attack demonstration and disclosure
- The dual-method approach has been demonstrated in controlled testing environments and is slated for presentation at a security-focused conference.
- Proof-of-concept materials and early demonstrations have circulated publicly, illustrating how the two techniques interact to sustain memory growth and stall completion.
Impact and patches
- While the two components of the attack are not individually novel, their combination yields a significant practical impact, particularly against default HTTP/2 configurations.
- Patch history and current status:
- nginx released a patch (version 1.29.8) adding a max_headers directive to limit exposure.
- Apache httpd with mod_http2 (version 2.0.41) has an identified fix with a CVE tracking entry.
- At the time of reporting, patches for IIS, Envoy, and related platforms were not universally available, leaving some environments exposed.
- Defensive posture (in the absence of complete patches) emphasizes configuring hard limits and external protection:
- Deploying a proxy or firewall that enforces strict header-count limits can mitigate exposure.
- Systems that sit behind CDNs or reverse proxies may not expose the vulnerable HTTP/2 endpoint directly, reducing risk in those architectures.
- Disabling HTTP/2 where feasible can reduce attack surface, especially for deployments that cannot be patched immediately.
The validation gap: automated pentesting and coverage
- Automated pentesting tools excel at answering whether an attacker can move through a network but may fall short in validating whether controls actually block threats, trigger detections, or align with secure cloud configurations.
- A guidance framework exists that emphasizes validating multiple surfaces of defense to ensure robust protection, beyond simple connectivity checks.
Attack context and identifiers
- The technique draws on known HTTP/2 threats and memory-management vulnerabilities within the protocol’s implementation.
- Public-facing references point to academic and industry discussions exploring how per-header bookkeeping and per-connection memory allocations can translate into scalable DoS conditions under certain configurations.
Closing note
- The combination of a header-compression amplification mechanism with a flow-control stall produces a potent denial-of-service scenario that can exhaust server memory and prevent timely responses.
- The ongoing response from server software maintainers includes punchlist items such as header-count limits and network-edge protections, reflecting a broader trend toward hardening HTTP/2 implementations against memory-management abuses.
