An 'HTTP/2 Bomb' attack capable of bringing down web servers in seconds has been discovered using OpenAI's Codex.
Security researchers have discovered a DoS attack method that can bring down a server in seconds using a regular home PC.
Codex Discovered a Hidden HTTP/2 Bomb - Calif
New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute
https://www.bleepingcomputer.com/news/security/new-http-2-bomb-dos-attack-crashes-web-servers-in-under-a-minute/
The attack discovered this time combines the previously known 'HPACK compression amplification' attack with a Slowloris-type resource retention technique that disables HTTP/2 flow control. It works with the default HTTP/2 configurations of major web servers such as nginx, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
The HPACK compression amplification attack involves inserting a header into the HPACK dynamic table and then repeatedly referencing that header using a compact index representation that is only about one byte in size. As a result, one byte sent by the attacker can trigger thousands of bytes of memory allocation on the server side.
In the second phase of the attack, a zero-byte flow control window is notified, preventing the server from completing the response. In this situation, the request never fully completes, and the allocated memory continues to increase without being released.
The researchers stated, 'Even a home PC with a 100Mbps connection can render a vulnerable server unusable within seconds. Against Apache httpd and Envoy, a single client can consume and retain 32GB of server memory in about 20 seconds.'
According to tests conducted by researchers, Envoy 1.37.2 exhausted 32GB of RAM in about 10 seconds, Apache httpd 2.4.67 exhausted 32GB in about 18 seconds, nginx 1.29.7 exhausted 32GB in about 45 seconds, and IIS (Windows Server 2025) exhausted 64GB of RAM in about 45 seconds.
The researchers emphasize that while the individual elements of these attacks are not particularly new, combining them has a very significant impact. They used OpenAI's coding agent, Codex, to discover the combination.
Researchers have reported the issue to the companies managing the servers, and nginx, Apache, and Envoy have reportedly been fixed. Patches for Microsoft IIS and Pingora are not yet available.
These web servers recommend disabling HTTP/2 whenever possible and placing a proxy or firewall in front of them that enforces strict header limits.
Related Posts:
in Security, Posted by log1p_kr