New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute

A new denial-of-service attack called HTTP/2 Bomb enables attackers to crash web servers in under a minute using just one machine. The attack exploits the HTTP/2 protocol, which many modern web servers run by default.

HTTP/2 Bomb works by sending specially crafted HTTP/2 requests that consume server resources at an exponential rate. The attacker leverages HTTP/2's multiplexing feature, which allows multiple streams over a single connection. By sending requests with nested headers or compressed data payloads, attackers force servers to allocate memory and processing power disproportionate to the bandwidth used. This creates an amplification effect where minimal input generates massive resource consumption on the target.

The attack succeeds because affected servers lack proper rate limiting or request validation for HTTP/2 streams. Popular web servers including Apache, Nginx, and others remain vulnerable if running default configurations without tuning. The low bandwidth requirement means attackers bypass many network-based DoS protections designed to detect volumetric attacks.

Response times are critical. Security teams must identify and mitigate HTTP/2 Bomb attacks within seconds before servers become unresponsive. Traditional DoS mitigation strategies focusing on connection limits or request throttling prove insufficient.

Organizations should immediately audit their HTTP/2 implementations. Patches exist for affected platforms, though administrators must explicitly enable stronger protections. Implementing HTTP/2 stream limits, proper timeout configurations, and strict header validation reduces exposure. Content delivery networks and DDoS mitigation services offer protection by filtering malicious HTTP/2 traffic upstream.

System administrators should prioritize updating web servers to patched versions and review HTTP/2 configuration guides from vendors. Disabling HTTP/2 remains a temporary option for critical systems until patches deploy, though this sacrifices modern protocol benefits. Network monitoring tools capable of detecting HTTP/2 stream anom