- New DoS technique called HTTP/2 Bomb
- Utilizes compression and flow control that stalls
- Large web servers confirmed vulnerable
We can thank AI for a new denial-of-service (DoS) technique that can knock a server offline in seconds using nothing more than a single computer with a 100 Mbps connection.
Earlier this week, California cybersecurity researchers revealed that they discovered a new DoS technique called the HTTP/2 Bomb. They used OpenAI’s Codex software agent to detect it, saying it combines two previously known HTTP/2 DoS methods: the HPACK compression enhancement and Slowloris-style resource retention via HTTP/2 flow control stalling.
Simply put, the attack tricks a web server into reserving large amounts of memory while sending very little data. The attacker exploits a feature in HTTP/2 that allows small requests to expand into much larger amounts of data inside the server, forcing it to allocate memory.
Proof of Concept released
Normally, this memory would be freed after processing the request. However, the attacker uses a separate HTTP/2 feature to keep the connection open indefinitely. As more malicious requests arrive, memory usage grows rapidly until the server slows down and eventually crashes.
Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
According to CyberInsider, the affected products “power a significant portion of the web,” suggesting that the risk is quite extensive. Some have already issued a patch, while others remain vulnerable. Keep track of your servers’ configurations for incoming updates.
“A home computer on a 100 Mbps connection can render a vulnerable server inaccessible in seconds. Against Apache httpd and Envoy, a single client can consume and store 32 GB of server memory in about 20 seconds,” the researchers said
Current defenses are powerless against the HTTP/2 Bomb, it was further explained. Limits on the total decoder header size, for example, do not work since header values used in the attack are minimal.
Technical details will be released later this month, it said, but Calif has already released a proof-of-concept (PoC).
Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. Some have already issued a patch, while others remain vulnerable. Keep track of your servers’ configurations for incoming updates.
“A home computer on a 100 Mbps connection can render a vulnerable server inaccessible in seconds. Against Apache httpd and Envoy, a single client can consume and store 32 GB of server memory in about 20 seconds,” the researchers said
Current defenses are powerless against the HTTP/2 Bomb, it was further explained. Limits on the total decoder header size, for example, do not work since header values used in the attack are minimal.
Technical details will be released later this month, it said, but Calif has already released a proof-of-concept (PoC).
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
