The HTTP/2 Bomb: A Remote Denial-of-Service Vulnerability in Major Web Servers
The cybersecurity world is abuzz with the discovery of a critical vulnerability in major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. This vulnerability, dubbed the HTTP/2 Bomb by Calif, is a remote denial-of-service (DoS) exploit that can be devastating for web server operators.
What makes this vulnerability particularly insidious is its reliance on two known techniques: a compression bomb and a Slowloris-style hold. The bomb targets HPACK, HTTP/2's header compression scheme, turning one byte on the wire into one full header allocation on the server, repeated thousands of times per request. The hold, a zero-byte flow-control window, keeps the server from ever freeing any of it.
HPACK, a dedicated header compression algorithm for HTTP/2, is designed to reduce header size by 30% on average and is resilient to attacks like CRIME, which can leak authentication cookies from compressed headers. However, the HTTP/2 Bomb takes advantage of HPACK's functionality to overwhelm servers.
The amplification comes from the per-entry bookkeeping the server allocates around the nearly empty header. Unlike classic bombs that stuff large values into tables, this variant's amplification is subtle yet powerful. A single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds, rendering the server inaccessible.
This vulnerability is not a new concept, drawing inspiration from past exploits like the HPACK Bomb (CVE-2016-6581), a memory exhaustion vulnerability in Apache httpd's HTTP/2 implementation, and two DoS flaws in Apache HTTP Server via crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546).
What's concerning is the ease with which an attacker can exploit this vulnerability. A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. This highlights the importance of prompt action to mitigate the risk.
Mitigation strategies include upgrading to patched versions of NGINX (1.29.8+), Apache HTTPD (mod_http2 v2.0.41), and disabling HTTP/2 in Microsoft IIS, Envoy, and Cloudflare Pingora. However, no patch is available for these last three servers as of the article's writing.
The HTTP/2 Bomb serves as a stark reminder of the ongoing arms race between cybersecurity researchers and attackers. It underscores the need for vigilance and proactive security measures to protect web servers from emerging threats.
