- Pro
- Security
A new attack technique affects HTTP/2 configurations of major web servers
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Shutterstock/Chor muang)
- Copy link
- X
- Threads
- New DoS technique dubbed HTTP/2 Bomb
- Exploits compression and flow‑control stalling
- Major web servers confirmed vulnerable
We can thank AI for a new denial-of-service (DoS) technique that can knock a server offline in mere seconds, using nothing but a single computer with a 100 Mbps connection.
Earlier this week, cybersecurity researchers Calif disclosed discovering a new DoS technique called HTTP/2 Bomb. They used OpenAI’s Codex software agent to discover it, saying it combines two previously known HTTP/2 DoS methods: the HPACK compression amplification, and Slowloris-style resource retention via HTTP/2 flow-control stalling.
Simply put, the attack tricks a web server into reserving large amounts of memory while sending very little data. The attacker exploits a feature in HTTP/2 that allows small requests to expand into much larger amounts of data inside the server, forcing it to allocate memory.
Latest Videos FromWatch full video here:
Proof of Concept released
Normally, that memory would be released after processing the request. However, the attacker then uses a separate HTTP/2 feature to keep the connection open indefinitely. As more malicious requests arrive, memory usage grows fast, until the server slows down and ultimately crashes.
Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora.
You may like-
Security researchers track record-breaking 2Tbps DDoS attack
-
Security experts discover critical flaw in OpenAI's Codex able to compromise entire organizations
-
The poison pill that malicious bots can't digest
According to CyberInsider, the affected products "power a significant portion of the web", suggesting that the risk is quite extensive. Some have already issued a patch, while others remain vulnerable. Keep track of your servers’ configurations for incoming updates.
“A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds,” the researchers said
Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.Current defenses are powerless against HTTP/2 Bomb, it was further explained. Limits on the total decoder header size, for example, doesn’t work since header values used in the attack are miniscule.
Technical details will be released later this month, it was said, but Calif already released a proof-of-concept (PoC).
Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. Some have already issued a patch, while others remain vulnerable. Keep track of your servers’ configurations for incoming updates.
What to read next-
Claude Mythos turns years of security research into 20-hour AI exploits
-
Patch window is officially dead as AI finds bugs faster than humans can squash them
-
New 'scareware' attack hits 2.8 million victims, pretending to lock them out of your browser
“A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds,” the researchers said
Current defenses are powerless against HTTP/2 Bomb, it was further explained. Limits on the total decoder header size, for example, doesn’t work since header values used in the attack are miniscule.
Technical details will be released later this month, it was said, but Calif already released a proof-of-concept (PoC).
Via BleepingComputer
The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
CATEGORIES Cyber Security Computing Security Computing Sead FadilpašićSocial Links NavigationSead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
View MoreYou must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Logout Read more
Pro
Security researchers track record-breaking 2Tbps DDoS attack
Security
Security experts discover critical flaw in OpenAI's Codex able to compromise entire organizations
Pro
The poison pill that malicious bots can't digest
Pro
Claude Mythos turns years of security research into 20-hour AI exploits
Pro
Patch window is officially dead as AI finds bugs faster than humans can squash them
Security
New 'scareware' attack hits 2.8 million victims, pretending to lock them out of your browser
Latest in Security
Security
‘Data can place the lives of frontline military or other personnel at risk’: FBI warns that China is luring Western military and intelligence operatives with 'gig-work' job offers to steal secrets
Security
Hackers could use poisoned WhatsApp and Slack notifications to take over your Google Gemini – and make it work on their behalf
Security
NSA warns that cybercriminals are targeting this one critical component that the energy, chemical, food, agriculture, and transportation sectors rely on - here's what we know
Security
Meta, Starlink and Microsoft team up with the FBI to delete over 1.4 million accounts and seize millions in cryptocurrency related to huge scam networks targeting Americans
Security
Huge hacking campaign uses spoofed Ghidra, dnSpy, and SpiderFoot security tools to harvest ad revenue and serve malware
Security
Microsoft is ditching password-based authentication tomorrow – Edge browser will switch to Windows Hello access
Latest in News
Computing
Nvidia’s new RTX Spark chip won’t come to a PC handheld soon says Huang
Gaming Accessories
Belkin's new Nintendo Switch 2 Grip could solve my biggest problem with handheld mode
Speakers
Ruark's new R710 Music Console supports CD, vinyl, and hi-res streaming
Gaming
'At least they're honest about it?' —Tomb Raider: Legacy of Atlantis is the latest game to come with an AI-generated content disclosure
How to Watch Football
How to watch Spain vs Iraq: Free Streams & TV Channels for World Cup 2026 warm-up match
Entertainment
Tip Toe full episode release date on Channel 4
LATEST ARTICLES- 1OpenAI’s Codex helps discover HTTP/2 Bomb DoS attack that can nuke over 30GB of RAM within seconds, knocking web servers offline before they can react
- 2With GTA 6 Online, Rockstar has a chance to free players from its greatest vehicular mistake
- 3I'm done with multitasking on a single PC, and I'm tired of waiting for Valve — so I built a custom Steam Machine, and here's what it has changed for me
- 45 things to expect at WWDC 2026 — from Siri 2.0 to Tim Cook's Apple farewell
- 5Nvidia’s RTX Spark sounds almost perfect for a PC handheld — too bad Jensen Huang doesn’t seem to care about that