Known denial-of-service (DoS) techniques can be chained together in a new exploit that can knock major web servers offline, Calif security researchers warn.
Dubbed HTTP/2 Bomb and discovered using OpenAI’s Codex, the exploit combines a compression bomb that targets HTTP/2’s header compression scheme (HPACK) with a Slowloris-style hold that prevents the server from freeing memory.
According to California-based cybersecurity firm Calif, the attack potentially affects over 880,000 websites that support HTTP/2 and run default NGINX, Apache HTTPD, Microsoft IIS, Envoy, or Cloudflare Pingora configurations.
Furthermore, the company says, an attack can be launched from a home computer on a 100 Mbps connection and can render any of these servers unavailable within seconds.
The techniques chained by the exploit are not new. In fact, three of the underlying issues were disclosed a decade ago, while another was resolved last year.
