Close Menu
Most Read

HTTP/2 Bomb exploit causes remote DoS on major servers

Staff WriterBy No Comments2 Mins Read0 Views

Top Highlights

  1. The "HTTP/2 Bomb" vulnerability exploits HPACK compression and Slowloris techniques to cause memory exhaustion and denial-of-service on major web servers like NGINX, Apache, IIS, Envoy, and Cloudflare Pingora.
  2. Attackers can induce server memory overloads rapidly, consuming up to 32GB in seconds, potentially rendering servers inaccessible within moments.
  3. Mitigation requires server upgrades or disabling HTTP/2, as current patches are unavailable for some affected platforms, leaving them vulnerable to exploitative DoS attacks.

Threat, Attack Techniques, and Targets

Cybersecurity researchers recently found a new vulnerability called the HTTP/2 Bomb. This flaw affects major web servers such as NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. The threat uses a remote denial-of-service (DoS) attack to overload servers. Attackers can cause the server to crash or become unavailable. They do this by chaining two techniques: a compression bomb and a Slowloris-style hold. The compression bomb exploits HPACK, the header compression scheme in HTTP/2, by creating many large header entries that use up server memory. The Slowloris hold keeps open connections that prevent the server from freeing memory. This combination can overwhelm servers with very little effort. A threat actor can use a home computer to cause shutdowns within seconds. They can also hold up to 32GB of server memory in about 20 seconds if they target servers like Apache HTTPD and Envoy.

Impact, Security Implications, and Remediation Guidance

This vulnerability can seriously affect web servers by making them unavailable. Attackers can cause service disruption by consuming server resources, particularly memory. Because of this, the security of affected systems is at risk. Mitigation steps depend on the server type. For NGINX, upgrade to version 1.29.8 or higher, which adds an important limit to header size. If upgrading is not possible, disabling HTTP/2 with the “http2 off” setting is recommended. For Apache HTTPD, update to mod_http2 version 2.0.41 or higher, or disable HTTP/2 by setting Protocols to http/1.1. If using IIS, Envoy, or Cloudflare Pingora, no fix has been announced yet. It is advised to get the latest security guidance from the server vendors or authorities to prevent exploitation of this vulnerability.

Stay Ahead with the Latest Tech Trends

Explore the future of technology with our detailed insights on Artificial Intelligence.

Explore past and present digital transformations on the Internet Archive.

ThreatIntel-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.