Skip to content
Tech News
← Back to articles

New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute

2026-06-03 | original
read original get HTTP/2 Security Toolkit → more articles
Why This Matters

The HTTP/2 Bomb DoS attack exposes a critical vulnerability in major web servers' default configurations, enabling attackers to crash servers within seconds by exploiting protocol mechanisms. This highlights the urgent need for improved security measures and updates to mitigate such sophisticated threats, protecting both industry infrastructure and consumer access. As web services become more integral, understanding and defending against these vulnerabilities is essential for maintaining reliable internet services.

Key Takeaways

A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds.

The technique works on default HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.

Discovered by OpenAI's Codex software agent under the guidance of researchers at offensive security firm Calif, HTTP/2 Bomb combines two previously known HTTP/2 DoS methods: the HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling.

When combined, a single client on a 100 Mbps connection can exhaust tens of gigabytes of RAM within seconds, forcing the server to allocate it and then preventing its release.

“A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds,” the researchers say.

The HTTP/2 Bomb DoS attack abuses the HPACK mechanism used by the HTTP/2 protocol for header compression by inserting a header into the HPACK dynamic table and referencing it repeatedly via a compact indexed representation that can be one byte large.

As a result, one byte sent by the attacker can result in thousands of bytes of server-side memory allocation, with Envoy and Apache httpd demonstrating the worst ratios at 5,700:1 and 4,000:1, respectively.

The second part of the attack consists in preventing the memory from being freed once the request completes. This can be achieved by advertising a zero-byte flow-control window. Instead of sending a response, the server periodically sends tiny WINDOW_UPDATE frames to avoid timeouts.

In this scenario, the requests are never fully completed, and the allocated memory keeps growing without being freed.

Calif researchers explain that this approach bypasses existing defenses such as limits on the total decoded header size, as the header values used in the attack are tiny, and amplification comes from internal per-header bookkeeping and memory allocations.

... continue reading

Explore topics: http/2 bomb nginx envoy cloudflare hpack
Related:
Cloudflare Turnstile requiring fingerprintable WebGL
From $5 Attacks to Botnet-Powered Platforms: Inside the DDoS-as-a- Service Market
How to apply to Startup Battlefield 2026, what you need ahead of the June 8 deadline
The internet is being rebuilt for machines
Startup Battlefield 200 applications close today: Nominate a founder or submit your startup

© 2026 GoKawiil

About | Editorial Policy | Contact