Summary
Researchers discovered the "HTTP/2 Bomb," an exploit that chains HPACK compression flaws with window-stalling techniques to exhaust server memory and knock major web servers offline in seconds. The attack affects NGINX, Apache, IIS, and Envoy, allowing a single client to consume up to 64GB of RAM using minimal bandwidth.
Take Action:
If you run nginx, Apache httpd, IIS, Envoy, or Cloudflare Pingora with HTTP/2 enabled, patch now where fixes exist (nginx 1.29.8, Apache mod_http2 v2.0.41, and Envoy's recent patch). Where no patch is available or you can't upgrade yet, disable HTTP/2, put the server behind a proxy that hard-caps the number of headers per request, and set per-worker memory limits so a bombed process gets killed and restarted before it takes down the machine.
Read the full article on BeyondMachines
This article was originally published on BeyondMachines
Top comments (0)