The HTTP/2 Bomb: A Remote Denial-of-Service Vulnerability in Major Web Servers
The world of cybersecurity is abuzz with the discovery of a critical vulnerability in major web servers, including NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. This vulnerability, dubbed the HTTP/2 Bomb, has the potential to cause significant disruption and downtime for websites and services that rely on these servers.
What makes this vulnerability particularly insidious is its ability to exploit a fundamental feature of HTTP/2, the header compression scheme HPACK. By chaining together two known techniques, a compression bomb and a Slowloris-style hold, the HTTP/2 Bomb can overwhelm servers and render them inaccessible.
The amplification comes from the fact that one byte on the wire becomes one full header allocation on the server, repeated thousands of times per request. This can lead to a single client consuming and holding 32GB of server memory against Apache HTTPD and Envoy in just 20 seconds. In a hypothetical attack scenario, a home computer on a 100Mbps connection could render a vulnerable server inaccessible within seconds.
The HTTP/2 Bomb is not a new concept, but it has been given a new twist. It builds upon previous vulnerabilities such as the HPACK Bomb (CVE-2016-6581), a memory exhaustion vulnerability in Apache httpd's HTTP/2 implementation, and two DoS flaws in Apache HTTP Server via crafted CONTINUATION frames (CVE-2016-8740) and worker-thread starvation (CVE-2016-1546).
What sets the HTTP/2 Bomb apart is the way it amplifies the attack. While previous vulnerabilities stuffed a large value into the table and referenced it repeatedly, the HTTP/2 Bomb creates a nearly empty header, and the amplification comes from the per-entry bookkeeping the server allocates around it. This means that the decoded-size limit never fires because there's almost nothing to decode.
The implications of this vulnerability are far-reaching. It highlights the importance of keeping web servers and their dependencies up to date with the latest security patches. For those who cannot upgrade, disabling HTTP/2 is a recommended mitigation measure. However, it's worth noting that no patch is available for Microsoft IIS, Envoy, and Cloudflare Pingora as of writing.
The HTTP/2 Bomb serves as a stark reminder of the ongoing arms race between cybersecurity researchers and attackers. As web servers continue to evolve and adopt new protocols, it's crucial to stay vigilant and proactive in addressing vulnerabilities like this one. Only through a collective effort can we hope to stay one step ahead of those who seek to exploit our digital infrastructure.
