New HTTP/2 Bomb DoS Attack Crashes Web Servers in Seconds

Cybersecurity researchers have discovered a critical vulnerability in the HTTP/2 protocol that enables powerful DoS attacks with minimal resources. The attack, named HTTP/2 Bomb, exploits the data stream processing features of HTTP/2 to create an avalanche-like load on servers.

The core of the attack involves sending specially crafted requests that force the server to allocate significant resources to process each connection. As a result, even a single machine can generate enough load to cause a complete server outage within 30–60 seconds. Experts note that the vulnerability affects a wide range of software, including popular web servers and cloud platforms.

Developers have already released patches to address the vulnerability, but experts recommend that administrators verify their system configurations and apply security updates. Special attention should be given to configuring stream limits and timeouts in HTTP/2 to minimize the risks of exploitation.