HTTP/2’s speed abused to slow webserver performance in DoS attack
Summary
Security researchers have identified a denial-of-service vulnerability in the default HTTP/2 configuration used by major web servers. The flaw, dubbed "HTTP/2 Bomb," abuses header compression to cause disproportionate memory consumption, allowing attackers to slow down web server performance with minimal traffic. This issue affects popular servers like nginx, Apache, Microsoft IIS, Envoy, and Cloudflare's Pingora.
IFF Assessment
This article highlights a vulnerability that can be exploited to degrade web server performance, posing a direct threat to the availability of online services.
Severity
This vulnerability targets HTTP/2 header compression, allowing for denial-of-service attacks with a high impact on availability. The attack vector is network-based, and while it requires some attacker control, it leverages a fundamental protocol feature, making it relatively easy to exploit and leading to significant resource exhaustion.
Defender Context
Defenders should be aware of this HTTP/2 vulnerability and ensure their web servers are patched or configured to mitigate the risks. Organizations using affected server software should monitor their systems for unusual traffic patterns indicative of a Slowloris-style attack, especially against the header compression mechanisms.