HTTP/2 Bomb: the new DoS attack that knocks down servers in seconds
Introduced as HTTP/2 Bomb
A new Denial-of-Service (DoS) attack scheme is active, allowing a single computer, utilizing a simple home connection of 100 Mbps, to saturate dozens of gigabytes of RAM in a matter of seconds, causing the immediate crash of the most widely used web servers on the market. The vulnerability, identified by OpenAI’s Codex AI software under the guidance of the offensive security research team Calif, is based on the combination of two already known attack techniques.
The destructive synergy combines HPACK compression amplification with Slowloris-style resource retention, the latter achieved through throttling HTTP/2 flow control. Essentially, the attacker abuses the header compression mechanism built into the HTTP/2 protocol. By inserting a header into the dynamic HPACK table and repeatedly calling it with ultra-compact indexed representations (some only a single byte in size), the attacker forces the server to allocate enormous amounts of memory. The amplification ratio is terrifying: on Envoy, it can reach 5,700:1, while on Apache httpd, the factor is 4,000:1. A single byte sent translates to kilobytes of RAM occupied on the server side.
Disaster Numbers: From Zero to 64 GB of RAM Saturated in Under a Minute
The second phase of the mechanism prevents the release of this memory once the request is completed. By declaring a flow control window of zero bytes, the malicious client forces the server to send small WINDOW_UPDATE packets to avoid connection timeouts, freezing requests in a state of perpetual incompleteness. Test results conducted by researchers highlight the extreme effectiveness of the attack vector, exposing the fragility of outdated systems in the face of cybersecurity threats of this magnitude:
- Envoy 1.37.2: 32 GB of RAM exhausted in just 10 seconds.
- Apache httpd 2.4.67: 32 GB of RAM saturated in about 18 seconds.
- nginx 1.29.7: 32 GB of RAM exhausted in about 45 seconds.
- Microsoft IIS (Windows Server 2025): a staggering 64 GB of RAM consumed in 45 seconds.
Traditional defenses, such as limits on the maximum size of decoded headers, are easily circumvented, as the header values used in the attack are microscopic. Amplification occurs at the web server’s internal memory management level. Currently, nginx has resolved the vulnerability in version 1.29.8 by introducing the 'max_headers' directive. Apache has released a patch in mod_http2 2.0.41, cataloging the bug as CVE-2026-49975. In contrast, official fixes are not yet available for Microsoft IIS, Envoy, and Cloudflare Pingora. For these systems, the only effective mitigation is to temporarily disable the HTTP/2 protocol or insert a reverse proxy or firewall capable of imposing strict limits on header counts.