Threat IntelligenceBleeping Computer
9.0 — CRITICAL
New 'HTTP/2 Bomb' DoS attack crashes web servers in under a minute
A new denial-of-service (DoS) attack dubbed HTTP/2 Bomb can be launched from a single machine to take down web servers within seconds. [...]
🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview
A new HTTP/2 denial-of-service (DoS) attack, dubbed HTTP/2 Bomb, can be launched from a single machine to take down web servers within seconds by exploiting default configurations of major web servers.
⚙️Technical Details
Affected Systems
NGINXApache HTTP ServerMicrosoft IISEnvoyCloudflare Pingora
Attack Vectors
HPACK compression amplification and Slowloris-style resource retention via HTTP/2 flow-control stalling
💥Impact Assessment
Severity: critical
Who Is at Risk
web servers with default HTTP/2 configurations, including those running NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare PingoraSeverity: critical
🛡️Recommended Actions
1Disable HTTP/2 where feasible
2Place a proxy/firewall in front of vulnerable web servers that enforces hard header-count limits
3Apply patches for affected systems as soon as possible
📦Affected Products
NGINXApache HTTP ServerMicrosoft IISEnvoyCloudflare Pingora
Read the full article
This is a curated summary. The complete article is available at Bleeping Computer.