A new denial-of-service attack exploits HTTP/2 protocol vulnerabilities to take down web servers from a single machine within seconds. The vulnerability affects multiple server implementations.
Security researchers have identified a critical DoS vulnerability in HTTP/2, dubbed HTTP/2 Bomb, that enables attackers to crash web servers with minimal computational resources.
The attack works by sending specially crafted HTTP/2 requests that exploit how servers handle data compression and stream multiplexing. A single attacker can generate requests that force servers into resource-exhausting loops, causing them to become unresponsive within moments.
Attack Mechanism
HTTP/2's multiplexing feature allows multiple data streams over a single connection. The HTTP/2 Bomb exploits this by creating streams that consume excessive server resources through repeated compression operations. The attack bypasses traditional rate-limiting protections because requests can originate from a single connection.
Impact
Vulnerable servers stop responding to legitimate traffic almost instantly. The attack requires minimal bandwidth and computational power from the attacker's side, making it an efficient threat vector. Organizations running affected server software face potential downtime without proper mitigation.
Affected Systems
Multiple popular web server implementations have been confirmed vulnerable, including widely-deployed platforms. Server vendors have begun releasing patches, though adoption rates remain variable across organizations.
Mitigation
Server administrators should immediately apply available security updates. Temporary mitigations include tuning HTTP/2 parameters, implementing request filtering, and deploying Web Application Firewalls configured to detect malformed HTTP/2 streams. Network-level rate limiting offers limited protection against this particular vector.
Industry Response
The HTTP/2 working group is reviewing the protocol's design to address fundamental weaknesses exposed by this attack. Researchers recommend server vendors implement stricter validation of HTTP/2 requests and resource consumption limits per connection.
Organizations dependent on HTTP/2 should prioritize patching and monitoring for exploitation attempts. Security teams should review their DDoS mitigation strategies to account for application-layer attacks of this type.
Top AI executives including Sam Altman and Demis Hassabis are calling on Congress to mandate synthetic DNA screening, warning that AI systems now exceed PhD-level virologist capabilities and pose biosecurity risks.
A Chinese-speaking cybercrime group has expanded operations into Europe, deploying previously undocumented malware alongside the Atlas backdoor. The campaign marks a geographic shift in the group's targeting strategy.
Password manager Dashlane disclosed that encrypted vaults belonging to 20 users were stolen, but the company has released few details about the incident or its cause.
The federal government has stopped providing classified briefings and certain cybersecurity services to state election officials, cutting off critical threat intelligence during a sensitive period.