HTTP/2 Bomb: Remote DoS Affects NGINX, Apache, and Microsoft IIS

Cybersecurity researchers at Calif have identified a significant threat vector known as the ‘HTTP/2 Bomb,’ which facilitates remote DDoS attacks against major web servers. According to The Hacker News, this vulnerability stems from the default CVE implementation and handling of the HTTP/2 protocol in products like NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora.

The discovery, notably attributed to OpenAI Codex, highlights a technical oversight in how these servers manage incoming streams and frames. While the specifics of a Zero-Day usually require rapid patching, this flaw is particularly insidious because it resides within the standard configuration of the world’s most popular web proxies and servers.

Technical Analysis of the HTTP/2 Bomb Vulnerability

The HTTP/2 Bomb functions as a resource exhaustion attack. It leverages the multiplexing capabilities of the protocol to overwhelm a server’s memory or CPU. Attackers can send a relatively small amount of data that expands significantly once processed by the target system—a technical pattern similar to Zip Bombs. By sending a carefully crafted series of frames, an attacker can force the server to allocate vast amounts of memory or consume excessive CPU cycles to track the state of many concurrent streams.

Because the vulnerability exists in each server’s default HTTP/2 configuration, organizations that have not manually hardened their protocol settings are at immediate risk. In a typical SOC environment, detecting this activity requires granular visibility into layer 7 traffic. Traditional EDR solutions may not capture the initial handshake and frame exchange, making network-level monitoring and SIEM correlation essential for identifying the start of an attack.

How to Detect HTTP/2 Bomb Exploit Activity

Security teams should look for anomalous spikes in memory utilization paired with an unusually high number of concurrent HTTP/2 streams from a single source. Monitoring for Rapid Reset patterns or excessive SETTINGS frame updates can provide early warning signs. Identifying this activity early is vital for preventing a total site outage. Analysts should specifically look for high rates of stream creation that do not result in substantive data transfer, as this is a common TTP associated with resource-bombing attacks.

NGINX HTTP/2 DoS Mitigation Steps and Best Practices

Defenders must move beyond default settings to secure their infrastructure. For those running NGINX, several NGINX HTTP/2 DoS mitigation steps should be prioritized to ensure continued availability:

• Limit the http2_max_concurrent_streams directive to a value that balances performance and security requirements.
• Adjust the http2_recv_buffer_size and http2_max_field_size to prevent excessive memory allocation per stream.
• Implement rate limiting at the edge to throttle suspicious IP addresses before they can establish a high volume of connections.

For Microsoft IIS and Apache users, similar restrictions on concurrent requests and header size limits are necessary. Since this is not a traditional RCE but rather a denial-of-service vector, the primary goal is ensuring availability under stress. If the IoC of a sustained attack is confirmed, temporary disabling of HTTP/2 in favor of HTTP/1.1 may be used as a last-resort stopgap while patches are applied.

Impact on Cloud and Edge Infrastructure

The inclusion of Envoy and Cloudflare Pingora in the list of affected systems indicates that the Supply Chain Attack surface is broad. Many modern architectures rely on Envoy as an ingress gateway or sidecar proxy in service meshes. If these components fail, the entire microservices architecture can become unreachable, leading to widespread service outages. Because these proxies often sit at the very edge of a network, they are the first point of contact for external traffic, making them a primary target.

Organizations adopting a Zero Trust architecture should ensure that their policy enforcement points are not themselves vulnerable to this protocol-level exhaustion. Failure to address this default HTTP/2 configuration vulnerability could allow a single APT or low-skill actor to take down critical services with minimal bandwidth requirements. Periodic MITRE ATT&CK mapping of DoS techniques should include this new vector to ensure defensive coverage remains comprehensive.