Fedora Account System
Red Hat Associate
Red Hat Customer
We’re publishing HTTP/2 Bomb, a remote denial-of-service exploit against most major web servers, including: nginx Apache httpd Microsoft IIS Envoy Cloudflare Pingora The vulnerable behavior exists in each server's default HTTP/2 configuration. The attack was discovered by Codex, which chained two techniques known to humans for a decade: a compression bomb and a Slowloris-style hold. The bomb targets HPACK, HTTP/2's header compression scheme: one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. The hold is a zero-byte flow-control window that keeps the server from ever freeing any of it. A curious search on Shodan revealed 880,000+ websites supporting HTTP/2 and running one of these servers, though many sit behind a CDN, which is much harder to bring down. A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds.
Upstream commit for this fix: https://github.com/nginx/nginx/commit/365694160a85229a7cb006738de9260d49ff5fa2