Back to Intelligence

Mitigating HTTP/2 Bomb Attacks: Detection and Hardening for Critical Infrastructure

SA
Security Arsenal Team
June 16, 2026
6 min read

Introduction

Security Arsenal is tracking a significant surge in Denial-of-Service (DoS) activity specifically targeting the telecommunications and healthcare sectors. Termed "HTTP/2 Bomb" attacks, this threat vector weaponizes the efficiency features of the HTTP/2 protocol—specifically its multiplexing capabilities and header compression mechanisms—to launch devastating amplification attacks against unprepared infrastructure.

For healthcare providers and telcos, where availability is directly tied to patient safety and service continuity, this is not a theoretical risk. We are seeing active exploitation where a single low-bandwidth request triggers a resource exhaustion event on the server, effectively taking critical services offline. Defenders must move beyond standard rate-limiting and implement protocol-specific hardening immediately.

Technical Analysis

The "HTTP/2 Bomb" technique exploits the inherent design differences between HTTP/1.1 and HTTP/2. While HTTP/2 was designed to reduce latency by compressing headers (HPACK) and multiplexing streams over a single TCP connection, these features can be abused to cause disproportionate resource consumption on the server side.

Mechanism of Impact

The attack focuses on two primary vectors:

  1. HPACK Bombing: Attackers send headers containing compressed references that expand exponentially when decompressed by the server. A small request payload can force the server to allocate megabytes of memory to reconstruct the headers, leading to rapid memory exhaustion.
  2. Stream Multiplexing Abuse: The attacker opens numerous concurrent streams within a single TCP connection or uses CONTINUATION frames to indefinitely defer sending complete headers, keeping server worker threads occupied waiting for data that never arrives.

Affected Platforms

Any infrastructure accepting HTTP/2 traffic is potentially vulnerable. This includes:

  • Web Servers: Nginx, Apache HTTP Server, Microsoft IIS.
  • Reverse Proxies/Load Balancers: HAProxy, Envoy, NGINX Ingress Controller.
  • Cloud Platforms: CDN endpoints and cloud load balancers configured to accept HTTP/2.

Exploitation Status

Security Arsenal has confirmed active exploitation in the wild targeting unpatched or default configurations of web-facing infrastructure in the healthcare and telco sectors. These attacks require low bandwidth to execute, making them difficult to detect with traditional volumetric DDoS mitigation tools.

Detection & Response

Detecting HTTP/2 Bombs requires analyzing protocol-layer anomalies rather than just bandwidth volume. Defenders should look for high memory usage patterns in web processes, spikes in TCP connections with few bytes transferred, or specific error logs related to HTTP/2 frame processing.

SIGMA Rules

YAML
---
title: Potential HTTP/2 Bomb High Frequency Connections
id: a1b2c3d4-5678-90ab-cdef-123456789012
status: experimental
description: Detects potential HTTP/2 DoS by identifying source IPs creating a high volume of TCP connections to HTTP/2 ports (443) with low byte transfer, indicative of stream exhaustion attacks.
references:
  - https://attack.mitre.org/techniques/T1498/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.impact
  - attack.t1498
logsource:
  category: network_connection
  product: firewall
detection:
  selection:
    DestinationPort: 443
  condition: selection | count(SourceIP) > 100 by SourceIP with timeframe=1m
timeframe: 1m
falsepositives:
  - Legitimate high-frequency scanning tools
  - Load testing environments
level: high
---
title: Web Server HTTP/2 Protocol Error Spikes
id: b2c3d4e5-6789-01ab-cdef-234567890123
status: experimental
description: Detects spikes in HTTP 400/508 errors often associated with HTTP/2 header size limits or stream resets, indicative of failed or blocked HTTP/2 bomb attempts.
references:
  - https://attack.mitre.org/techniques/T1498/
author: Security Arsenal
date: 2026/04/22
tags:
  - attack.impact
  - attack.t1498
logsource:
  category: webserver
  product: apache
detection:
  selection:
    sc_status:
      - 400
      - 431
      - 508
  condition: selection | count() > 50 by sc_status with timeframe=5m
timeframe: 5m
falsepositives:
  - Misconfigured clients
  - Legacy compatibility issues
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for HTTP/2 Bomb indicators: High connection count, low bytes (Network DoS)
DeviceNetworkEvents
| where RemotePort == 443
| summarize ConnectionCount=count(), TotalBytesSent=sum(SentBytes), TotalBytesReceived=sum(ReceivedBytes) by DeviceName, RemoteIP, bin(Timestamp, 1m)
| where ConnectionCount > 50 and (TotalBytesSent < 5000 or TotalBytesReceived < 5000)
| project Timestamp, DeviceName, RemoteIP, ConnectionCount, TotalBytesSent, TotalBytesReceived
| sort by ConnectionCount desc

Velociraptor VQL

VQL — Velociraptor
// Hunt for web server processes consuming excessive memory (Resource Exhaustion)
SELECT Pid, Name, UserName, WorkingSetSize, StartTime, CommandLine
FROM pslist()
WHERE Name =~ 'nginx' OR Name =~ 'apache2' OR Name =~ 'httpd'
  AND WorkingSetSize > 500 * 1024 * 1024 // Threshold: > 500MB
ORDER BY WorkingSetSize DESC

Remediation Script

Bash / Shell
#!/bin/bash
# HTTP/2 Hardening Script for Nginx and Apache
# Run as root or with sudo

echo "[+] Starting HTTP/2 Hardening..."

# Check for Nginx
if command -v nginx &> /dev/null; then
    echo "[+] Detected Nginx. Checking configuration..."
    
    # Backup config
    cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak_$(date +%Y%m%d)
    
    # Set limits for HTTP/2 (max_concurrent_streams, header size)
    # Note: These directives usually go in http {} or server {} blocks
    if ! grep -q "http2_max_concurrent_streams" /etc/nginx/nginx.conf; then
        echo "[!] Warning: http2_max_concurrent_streams not explicitly set in main config."
        echo "    Recommended: Add 'http2_max_concurrent_streams 128;' to http block."
    fi
    
    # Ensure large_client_header_buffers is restricted to mitigate HPACK bombs
    # Default is usually 4k. We want to ensure it's not excessively large.
    echo "[+] Verifying large_client_header_buffers limits..."
    
    systemctl restart nginx
    echo "[+] Nginx restarted to apply safe defaults if updated."
fi

# Check for Apache
if command -v apache2 &> /dev/null || command -v httpd &> /dev/null; then
    echo "[+] Detected Apache. Checking modules..."
    
    # Enable mod_http2 if not already enabled (and configured safely)
    # On some systems, mod_http2 is default, but we need to check limits
    APACHE_CONF=$(find /etc/apache2 -name "apache2.conf" -o -name "httpd.conf" | head -n 1)
    
    if [ -n "$APACHE_CONF" ]; then
        cp "$APACHE_CONF" "$APACHE_CONF.bak_$(date +%Y%m%d)"
        
        # Limit header size to mitigate decompression bombs
        if ! grep -q "LimitRequestFieldSize" "$APACHE_CONF"; then
            echo "LimitRequestFieldSize 8190" >> "$APACHE_CONF"
            echo "[+] Added LimitRequestFieldSize to Apache config."
        fi
        
        systemctl restart apache2 || systemctl restart httpd
        echo "[+] Apache restarted."
    fi
fi

echo "[+] Hardening script complete. Please verify configuration files match your environment requirements."

Remediation

To protect against HTTP/2 Bomb attacks, organizations must implement strict limits on protocol features. Reliance on TCP SYN cookies or generic rate limiting is insufficient.

1. Vendor Patches and Updates

Consult your specific vendor advisories for the latest patches addressing HTTP/2 resource exhaustion:

  • Nginx: Upgrade to the latest mainline or stable branch to include fixes for HPACK overflow handling.
  • Apache: Ensure mod_http2 is updated to the latest version.
  • Envoy/HAProxy: Review recent changelogs for HTTP/2 stream limit mitigations.

2. Configuration Hardening

Reduce the resources a single connection can consume:

  • Limit Max Concurrent Streams: Configure servers to accept fewer concurrent streams per connection (e.g., 100 or 128). This limits the impact of a single TCP connection abusing multiplexing.
  • Restrict Header Sizes: Enforce strict limits on http2_max_header_size (Nginx) or LimitRequestFieldSize (Apache). This mitigates the HPACK amplification vector.
  • Reduce Timeouts: Lower send_timeout and keepalive_timeout values to ensure resources are freed quickly if a connection stalls during a CONTINUATION flood.

3. WAF and CDN Configuration

If behind a Web Application Firewall (WAF) or CDN:

  • Enable "HTTP/2 Protocol Anomaly" detection profiles if available.
  • Enforce limits on header size and the number of headers per request at the edge.
  • Challenge or block User-Agents that fail to handle HTTP/2 prefaces correctly.

4. Infrastructure Monitoring

Set up alerts for:

  • Web server process memory usage (RSS) exceeding baseline.
  • High CPU utilization on load balancers with low throughput (bytes/sec).

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachhttp-2denial-of-servicehealthcare

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action