The HTTP/2 Bomb: A Remote Denial-of-Service Vulnerability in Major Web Servers
The cybersecurity world is abuzz with the discovery of a critical vulnerability in major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. This vulnerability, dubbed the HTTP/2 Bomb, has the potential to render these servers inaccessible within seconds, posing a significant threat to web infrastructure.
What makes this vulnerability particularly insidious is its reliance on two known techniques: a compression bomb and a Slowloris-style hold. The bomb targets HPACK, HTTP/2's header compression scheme, which can lead to a significant amplification effect. One byte on the wire becomes one full header allocation on the server, repeated thousands of times per request.
The hold, on the other hand, is a zero-byte flow-control window that keeps the server from ever freeing any of it. This combination of techniques allows a single client to consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds, rendering the server inaccessible.
The HTTP/2 Bomb is not a new concept, but it has been given a new twist. It is inspired by various known approaches, including the HPACK Bomb (CVE-2016-6581), a memory exhaustion vulnerability in Apache httpd's HTTP/2 implementation, and two DoS flaws in Apache HTTP Server via crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546).
What makes the HTTP/2 Bomb particularly dangerous is the amplification effect. The classic bomb stuffs a large value into the table and references it repeatedly, so servers learned to cap the total decoded header size. However, the new variant goes the other way: the header is nearly empty, and the amplification comes from the per-entry bookkeeping the server allocates around it. The decoded-size limit never fires because there's almost nothing to decode.
The implications of this vulnerability are far-reaching. A home computer on a 100Mbps connection has the potential to render a vulnerable server inaccessible within seconds. What's more, a single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in about 20 seconds.
To counter the vulnerability, it's advised to apply the following mitigations:
- NGINX: Upgrade to 1.29.8+, which adds the max_headers directive with a default of 1000. If upgrade is not an option, it's recommended to disable HTTP/2 with http2 off.
- Apache HTTPD: Fixed in mod_http2 v2.0.41. If upgrade is not an option, it's recommended to set Protocols http/1.1 to disable HTTP/2.
- Microsoft IIS, Envoy, and Cloudflare Pingora: No patch available as of writing.
The HTTP/2 Bomb highlights the ongoing challenges in securing web servers. As web technologies evolve, so do the techniques of malicious actors. It is crucial for organizations to stay vigilant and proactive in their approach to cybersecurity to protect their web infrastructure from emerging threats.
