Back to Intelligence

HTTP/2 Bomb: Remote DoS Detection and Hardening for NGINX, Apache, and IIS

SA
Security Arsenal Team
June 3, 2026
6 min read

A newly discovered security vulnerability, dubbed HTTP/2 Bomb, has sent shockwaves through the operations community. Researchers at Calif have identified a critical remote denial-of-service (DoS) condition affecting the default HTTP/2 configurations of the world's most ubiquitous web servers: NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare's Pingora.

This is not a theoretical edge case. The vulnerability resides in the default behavior of how these servers handle HTTP/2 streams, meaning a vast majority of modern internet-facing infrastructure is currently exposed to a resource exhaustion attack that can be triggered by a single malicious request. For defenders, the immediate priority is assessing exposure and enforcing protocol hardening to maintain availability.

Technical Analysis

Affected Products & Platforms:

  • NGINX (All versions utilizing default HTTP/2 module)
  • Apache HTTPD (All versions utilizing mod_http2)
  • Microsoft IIS (Windows Server 2016/2019/2022 with HTTP/2 enabled)
  • Envoy Proxy (Default configurations)
  • Cloudflare Pingora (Default configurations)

Vulnerability Mechanics: While the specific CVE is pending assignment at the time of this reporting, the technique—labeled "HTTP/2 Bomb"—relies on abusing the multiplexing features of the HTTP/2 protocol. By crafting a sequence of frames (likely involving SETTINGS, PRIORITY, or HEADERS frames that trigger recursive processing or excessive buffer allocation), an attacker can force the server to consume disproportionate CPU and memory resources.

Unlike traditional volumetric DDoS attacks, this is a "logic bomb." It requires low bandwidth to execute but can result in 100% CPU utilization or memory exhaustion, causing the web server worker processes to crash and become unresponsive. Because the vulnerability exists in the default configuration, simply running a standard installation of these servers places you at risk.

Exploitation Status: Proof-of-concept (PoC) code has been demonstrated by the researchers, who noted the discovery was facilitated by OpenAI Codex. While no widespread active exploitation campaign has been observed in the wild yet, the public disclosure means the window for remediation is closing rapidly.

Detection & Response

Detecting an HTTP/2 Bomb attack requires monitoring for the effects of the exhaustion (process crashes) or analyzing network traffic for malformed frame sequences. Standard host-based logs often fail to capture the specific HTTP/2 frame data leading up to the crash, so we focus on stability monitoring and service availability.

SIGMA Rules

YAML
---
title: Linux Web Server Process Crash (HTTP/2 Bomb Indicator)
id: 8a4c2d1e-9f3a-4b5c-8e6d-7f1a9b2c3d4e
status: experimental
description: Detects unexpected termination or restart of common web server processes (nginx/apache) which may indicate a DoS event like HTTP/2 Bomb.
references:
  - https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.impact
  - attack.t1499
logsource:
  service: syslog
detection:
  selection:
    program|contains:
      - 'nginx'
      - 'httpd'
      - 'apache2'
    message|contains:
      - 'exited'
      - 'terminated'
      - 'segfault'
      - 'panic'
  condition: selection
falsepositives:
  - Legitimate administrator restarting services
  - Planned maintenance
level: high
---
title: IIS Worker Process Unexpected Termination
id: 3b5d6e7f-1a2b-3c4d-5e6f-7a8b9c0d1e2f
status: experimental
description: Detects unexpected termination of the IIS worker process (w3wp.exe) often associated with resource exhaustion attacks.
references:
  - https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.impact
  - attack.t1499
logsource:
  product: windows
  service: system
detection:
  selection:
    EventID: 7031
    provider_name: 'Service Control Manager'
    message|contains:
      - 'World Wide Web Publishing Service'
      - 'IIS'
  condition: selection
falsepositives:
  - Manual IIS reset
  - System instability unrelated to attack
level: high
---
title: High Volume HTTP/2 Traffic on Standard Web Ports
id: 9c8d7e6f-5a4b-3c2d-1e0f-9a8b7c6d5e4f
status: experimental
description: Identifies suspicious spikes in TCP connections on port 443 which may characterize a flooding or protocol attack vector.
references:
  - https://thehackernews.com/2026/06/new-http2-bomb-vulnerability-allows.html
author: Security Arsenal
date: 2026/06/12
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
detection:
  selection:
    DestinationPort: 443
  filter:
    Initiated: 'false'
  timeframe: 1m
  condition: selection | count() > 1000
falsepositives:
  - High load legitimate traffic events
  - Scalability testing
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Linux Web Server Crashes via Syslog
Syslog
| where Facility in ('daemon', 'syslog')
| where ProcessName has_any ("nginx", "httpd", "apache2")
| where SyslogMessage has_any ("exited with status", "segfault", "core dump", "fatal error")
| project TimeGenerated, Computer, ProcessName, SyslogMessage
| extend RenderedDescription = SyslogMessage
| sort by TimeGenerated desc


// Hunt for IIS Worker Process Recycles/Crashes (WAS Event Log)
Event
| where EventLog == "WAS"
| where EventID in (5002, 5009, 5011) // Process termination events
| project TimeGenerated, Computer, EventID, RenderedDescription
| sort by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for web server processes that have recently started (indicating a crash/restart loop)
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name IN ('nginx', 'apache2', 'httpd', 'w3wp.exe')
  AND CreateTime < now() - timedelta(minutes=5)
ORDER BY CreateTime DESC

Remediation Script

Bash (Linux - NGINX/Apache): Use this script to identify configuration files currently enabling HTTP/2 and comment them out as an immediate mitigation.

Bash / Shell
#!/bin/bash
# Backup and disable HTTP/2 in NGINX and Apache

echo "[*] Searching for NGINX HTTP/2 configurations..."
find /etc/nginx -name "*.conf" -type f -exec grep -l "http2" {} \; | while read file; do
    echo "Disabling HTTP/2 in $file"
    cp "$file" "$file.bak_$(date +%Y%m%d_%H%M%S)"
    sed -i 's/http2/#http2_disabled/g' "$file"
done

echo "[*] Searching for Apache HTTP/2 configurations..."
find /etc/apache2 -name "*.conf" -type f -exec grep -l "Protocols h2" {} \; | while read file; do
    echo "Disabling HTTP/2 in $file"
    cp "$file" "$file.bak_$(date +%Y%m%d_%H%M%S)"
    sed -i 's/Protocols h2/#Protocols h2_disabled/g' "$file"
done

echo "[*] Restarting services..."
systemctl restart nginx 2>/dev/null
systemctl restart apache2 2>/dev/null
systemctl restart httpd 2>/dev/null
echo "[*] Mitigation complete. Verify configuration syntax before production use."


**PowerShell (Windows - IIS):**

This script disables HTTP/2 via the Windows Registry, the most effective method for immediate server-wide mitigation pending a patch.

PowerShell
# Disable HTTP/2 on IIS via Registry
$RegPath = "HKLM:\SYSTEM\CurrentControlSet\Services\HTTP\Parameters"
$Name = "EnableHttp2"
$Value = 0

if (!(Test-Path $RegPath)) {
    New-Item -Path $RegPath -Force | Out-Null
}

try {
    Set-ItemProperty -Path $RegPath -Name $Name -Value $Value -Type DWord -Force
    Write-Host "[+] HTTP/2 has been disabled successfully." -ForegroundColor Green
    Write-Host "[!] Please restart the IIS service for changes to take effect." -ForegroundColor Yellow
    Restart-Service W3SVC -Force
}
catch {
    Write-Host "[-] Error modifying registry: $_" -ForegroundColor Red
}

Remediation

Immediate Action:

  1. Disable HTTP/2: Until vendor patches are released, the most reliable mitigation is to temporarily disable HTTP/2 support on your web servers. This will force clients to fallback to HTTP/1.1, eliminating the attack vector while preserving availability.
  2. WAF Tuning: Update Web Application Firewall (WAF) rules to inspect and block HTTP/2 traffic patterns that resemble frame flooding or abusive priority updates.

Vendor Advisory References:

  • NGINX: Monitor for release notes regarding HTTP/2 stream handling limits.
  • Apache: Review updates for mod_http2.
  • Microsoft: Check for security updates addressing IIS protocol stack exhaustion.
  • Cloudflare/Envoy: Refer to specific Pingora/Envoy configuration hardening guides regarding http2.max_concurrent_streams.

Long-term Fix: Apply official patches as soon as they are released. After patching, re-enable HTTP/2 and test configurations under load to ensure the fix is effective.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemhttp-2dosnginx

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action