A new exploit known as 'HTTP/2 Bomb' has been discovered by cybersecurity firm Calif, which combines old denial-of-service techniques to disable major web servers. This exploit affects over 880,000 websites utilizing HTTP/2 with default configurations in popular servers like NGINX and Apache. The attack relies on HPACK Bomb, which utilizes header compression errors to create massive data responses, and incorporates Slowloris-style tactics to exhaust server memory.
While some underlying issues were previously disclosed, the combined attack was not recognized until now. Existing patches from NGINX and recent fixes from Apache address some vulnerabilities; however, others like Microsoft IIS and Envoy remain unpatched.