- New DoS technique called HTTP/2 Bomb
- Exploits blocking compression and flow control
- Top Web Servers Confirmed Vulnerable
We can thank AI for a new denial of service (DoS) technique that can take a server offline in just seconds, using nothing more than a single computer with a 100 Mbps connection.
Earlier this week, cybersecurity researchers in California revealed that they had discovered a new DoS technique called HTTP/2 Bomb. They used OpenAI’s Codex software agent to find out, saying it combines two previously known HTTP/2 DoS methods: HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow control blocking.
Simply put, the attack tricks a web server into reserving large amounts of memory while sending very little data. The attacker exploits a feature of HTTP/2 that allows small requests to grow into much larger amounts of data inside the server, forcing it to allocate memory.
Proof of concept published
Normally, this memory would be freed after the request is processed. However, the attacker then uses a separate HTTP/2 feature to keep the connection open indefinitely. As new malicious requests arrive, memory usage increases rapidly, until the server slows down and eventually crashes.
Calif claims the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
According to CyberInsider, the affected products “power a significant portion of the web,” suggesting the risk is quite widespread. Some have already released a patch, while others remain vulnerable. Keep track of your server configurations for incoming updates.
“A personal computer connected at 100 Mbps can render a vulnerable server inaccessible in seconds. Compared to Apache httpd and Envoy, a single client can consume and retain 32 GB of server memory in about 20 seconds,” the researchers said.
Current defenses are powerless against the HTTP/2 bomb, it was further explained. Limits on the total size of the decoder header, for example, do not work since the header values used in the attack are tiny.
Technical details will be released later this month, it was reported, but California has already released a proof of concept (PoC).
Calif claims the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. Some have already released a patch, while others remain vulnerable. Keep track of your server configurations for incoming updates.
“A personal computer connected at 100 Mbps can render a vulnerable server inaccessible in seconds. Compared to Apache httpd and Envoy, a single client can consume and retain 32 GB of server memory in about 20 seconds,” the researchers said.
Current defenses are powerless against the HTTP/2 bomb, it was further explained. Limits on the total size of the decoder header, for example, do not work since the header values used in the attack are tiny.
Technical details will be released later this month, it was reported, but California has already released a proof of concept (PoC).
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
