The HTTP/2 Bomb: A Remote Denial-of-Service Threat to Major Web Servers
The cybersecurity world is abuzz with the discovery of a critical vulnerability dubbed the HTTP/2 Bomb, which poses a significant threat to the stability and security of major web servers. This exploit, uncovered by Calif, highlights the ongoing challenges in safeguarding web infrastructure against sophisticated attacks.
A Complex Exploit
The HTTP/2 Bomb is a cunning combination of two known techniques: a compression bomb and a Slowloris-style hold. It targets HPACK, HTTP/2's header compression scheme, turning a single byte on the wire into a full header allocation on the server. This amplification effect is achieved by exploiting the per-entry bookkeeping the server allocates around nearly empty headers, rendering the decoded-size limit ineffective.
What makes this exploit particularly insidious is its potential impact. A home computer with a 100Mbps connection can render a vulnerable server inaccessible within seconds. Even more alarming, a single client can consume and hold 32GB of server memory against Apache HTTPD and Envoy in just 20 seconds.
A History of Similar Exploits
The HTTP/2 Bomb draws inspiration from previous vulnerabilities, such as the HPACK Bomb (CVE-2016-6581), a memory exhaustion issue in Apache httpd's HTTP/2 implementation, and two DoS flaws in Apache HTTP Server via crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546).
The Spec's Limitation
Calif points out a critical oversight in the specification: it frames memory risk purely as an amplification ratio, ignoring the client's ability to hold connections open almost for free. This allows clients to pin every allocated byte for as long as they like, turning a 70:1 amplifier into a potent attack vector.
Mitigation Strategies
While the HTTP/2 Bomb affects major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora, mitigation strategies are available:
- NGINX: Upgrade to version 1.29.8+ and enable the max_headers directive with a default of 1000. Alternatively, disable HTTP/2 with the http2 off; directive.
- Apache HTTPD: Update to mod_http2 v2.0.41 or set Protocols http/1.1 to disable HTTP/2.
- Microsoft IIS, Envoy, and Cloudflare Pingora: No patch is currently available, but monitoring and proactive security measures are essential.
A Call for Vigilance
The HTTP/2 Bomb serves as a stark reminder of the ever-evolving nature of cybersecurity threats. As web servers continue to adopt HTTP/2 for improved performance, it's crucial to stay vigilant and proactive in addressing vulnerabilities. The cybersecurity community must remain vigilant, sharing knowledge and best practices to fortify our digital defenses against emerging threats.
As researchers and security professionals, we must continue to innovate and adapt, ensuring that our web infrastructure remains resilient in the face of evolving attack vectors. The HTTP/2 Bomb is a wake-up call, urging us to double down on our efforts to secure the digital realm.
