New 'HTTP/2 Bomb' Exploit Can Crash NGINX, Apache, and Other Major Web Servers in Seconds

Executive Summary

Security researchers have disclosed a potent new denial-of-service (DoS) exploit named the "HTTP/2 Bomb." This attack creatively chains together several known, and in some cases, decade-old vulnerabilities to create a highly efficient weapon against modern web servers. With the ability to be launched from a single machine, the exploit can cause major web server software like NGINX, Apache HTTP Server, and Microsoft IIS to crash within seconds. The vulnerability lies in the default implementation of the HTTP/2 protocol, placing hundreds of thousands of websites at immediate risk of being knocked offline.

Vulnerability Details

The "HTTP/2 Bomb" is not a single vulnerability but a clever combination of two distinct attack techniques applied to the HTTP/2 protocol:

Compression Bomb (HPACK Bomb): The attack leverages HPACK, the header compression scheme used in HTTP/2. By sending a specially crafted, highly compressed header, the attacker forces the server to decompress it into a much larger block of data, consuming a disproportionate amount of server memory.
Slowloris-style Attack: The exploit keeps the malicious connection open without sending a complete request. This ties up server resources (memory and connection slots) and prevents them from being freed, similar to the classic Slowloris DoS attack. The server is left waiting for more data that never arrives.

By combining these methods, a single attacker using a standard home internet connection can exhaust a server's memory and cause it to crash or become unresponsive very quickly.

Affected Systems

The vulnerability affects a wide range of popular web server software that supports HTTP/2 with default configurations. The list of impacted products includes:

NGINX
Apache HTTPD
Microsoft IIS
Envoy
Cloudflare Pingora

An estimated 880,000 websites are potentially vulnerable to this attack.

Exploitation Status

The researchers have developed a proof-of-concept (PoC) and stated that the attack is practical and can be launched with minimal resources. The fact that it chains together long-known vulnerabilities suggests that many servers may not be configured to defend against this specific combination of techniques.

This attack maps to the MITRE ATT&CK technique T1499 - Endpoint Denial of Service.

Impact Assessment

The primary impact is a Denial-of-Service condition, making websites and web applications unavailable to legitimate users. This can lead to:

Business Disruption: E-commerce sites, APIs, and other online services can be forced offline, leading to revenue loss.
Reputational Damage: Frequent or prolonged outages can damage a brand's reputation and erode customer trust.
Resource Diversion: Security and IT teams must divert resources from other projects to diagnose and mitigate the attack.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type

Log Pattern

Value

A sudden spike in memory usage on a web server correlated with a small number of new HTTP/2 connections.

Description

This could indicate the memory exhaustion effect of the HPACK bomb.

Type

Network Traffic Pattern

Value

HTTP/2 connections that remain open for an extended time with very little data being transferred after the initial HEADERS frame.

Description

This is characteristic of the Slowloris component of the attack.

Type

Log Pattern

Value

Web server logs showing incomplete HTTP/2 requests or errors related to header decompression.

Description

May indicate an attempt to trigger the exploit.

Detection Methods

Performance Monitoring: Implement real-time monitoring of web server CPU and memory usage. Configure alerts for sudden, unexplained spikes that are not proportional to traffic levels.
Network Traffic Analysis: Use network monitoring tools to analyze HTTP/2 sessions. Look for the characteristics of the attack: small initial request, large server-side memory allocation, and long-lived, idle connections. This aligns with D3FEND's Network Traffic Analysis (D3-NTA).

Remediation Steps

Apply Patches: Web server vendors will likely release patches or updated configuration guidance. Monitor for and apply these updates as soon as they become available (D3-SU: Software Update).
Configuration Hardening: Review and harden your web server's HTTP/2 configuration. This may include:
- Lowering the maximum allowed header size.
- Setting aggressive timeouts for idle connections.
- Implementing rate limiting on new connections and requests.
Use a Web Application Firewall (WAF): A properly configured WAF or Application Delivery Controller (ADC) at the edge of your network can inspect and normalize HTTP/2 traffic, potentially mitigating the attack before it reaches your server.
Temporary Mitigation: In a critical situation, if other mitigations are not available, consider temporarily disabling HTTP/2 on your servers and reverting to HTTP/1.1. This should be a last resort as it may impact performance.

To defend against the HTTP/2 Bomb, administrators of NGINX, Apache, and other affected servers must immediately review and harden their HTTP/2 configurations. Do not rely on default settings. Key actions include setting aggressive (low) timeouts for connections and headers, reducing the maximum number of concurrent streams per connection, and setting a reasonable limit on the size of the header compression table. These settings directly counter the Slowloris and HPACK Bomb components of the attack by preventing resource exhaustion. Consult your specific web server's documentation for the exact directives (http2_max_concurrent_streams, http2_idle_timeout, etc.) and apply the most restrictive settings possible that do not impact legitimate traffic.

'HTTP/2 Bomb' Exploit Threatens Web Servers with Rapid Denial-of-Service