- New DoS technique called HTTP/2 bomb
- Take advantage of compression stagnation and flow control
- Major web servers confirmed to be vulnerable
We can thank AI for a new denial of service (DoS) technique that can take a server offline in a matter of seconds, using nothing more than a single computer with a 100 Mbps connection.
Earlier this week, California cybersecurity researchers revealed they had discovered a new DoS technique called HTTP/2 Bomb. They used OpenAI’s Codex software agent to discover it, saying it combines two previously known HTTP/2 DoS methods: HPACK compression amplification and Slowloris-style resource retention using HTTP/2 flow control.
Simply put, the attack tricks a web server into reserving large amounts of memory while sending very little data. The attacker exploits a feature in HTTP/2 that allows small requests to expand to much larger amounts of data within the server, forcing it to allocate memory.
Proof of concept published
Normally, that memory would be freed after processing the request. However, the attacker uses a separate HTTP/2 function to keep the connection open indefinitely. As more malicious requests arrive, memory usage grows rapidly, until the server slows down and eventually crashes.
Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
According to CyberInsider, the affected products “power a significant portion of the web,” suggesting the risk is quite extensive. Some have already issued a patch, while others remain vulnerable. Track your server configurations for incoming updates.
“A home computer with a 100 Mbps connection can make a vulnerable server inaccessible in seconds. Against Apache httpd and Envoy, a single client can consume and store 32 GB of server memory in approximately 20 seconds,” the researchers said.
It was further explained that current defenses are powerless against HTTP/2 Bomb. Limits on the total decoder header size, for example, do not work since the header values used in the attack are minuscule.
Technical details were said to be released later this month, but Calif has already launched a proof of concept (PoC).
Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. Some have already issued a patch, while others remain vulnerable. Track your server configurations for incoming updates.
“A home computer with a 100 Mbps connection can make a vulnerable server inaccessible in seconds. Against Apache httpd and Envoy, a single client can consume and store 32 GB of server memory in approximately 20 seconds,” the researchers said.
It was further explained that current defenses are powerless against HTTP/2 Bomb. Limits on the total decoder header size, for example, do not work since the header values used in the attack are minuscule.
Technical details were said to be released later this month, but Calif has already launched a proof of concept (PoC).
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
