A new web server flaw called the HTTP/2 Bomb vulnerability has been making headlines, and it is worth understanding even if you are not a technical person. In simple terms, it lets a single attacker knock a website or online service offline in seconds. Worse still, the attacker does not need a powerful computer or a large botnet to do it. A home internet connection is enough.
So if your business runs a website, a customer portal, an online booking system, or any service that lives on the internet, this one deserves a few minutes of your time. Below we explain what the HTTP/2 Bomb vulnerability is, who is affected, and the practical steps you should take next.
What is the HTTP/2 Bomb vulnerability?
HTTP/2 is a modern version of the technology that web browsers and servers use to talk to each other. Almost every busy website uses it because it makes pages load faster.
Recently, security researchers at a firm called Calif discovered a serious weakness in the way most web servers handle HTTP/2 by default. They named it the HTTP/2 Bomb. Interestingly, the research was uncovered with the help of an AI coding tool, which is a clear sign of where this industry is heading. You can read the original write up on the Calif research blog and the coverage on The Hacker News.
The flaw is a denial of service vulnerability. That means it does not steal your data directly. Instead, it makes your server run out of memory and stop responding. To your customers, the result looks the same as any other outage. Your website simply goes down.
How the attack works, in plain English
You do not need the technical detail to make a good decision. Still, a simple version helps.
Every web request carries small pieces of information called headers. HTTP/2 compresses these headers to save space. The attacker abuses that compression. They send tiny requests that force the server to set aside a large chunk of memory for each one.
Then comes the clever part. The attacker holds the connection open and never lets go. As a result, the server keeps that memory reserved and cannot free it. Repeat this thousands of times and the server quickly chokes.
The numbers are striking. According to the researchers, a single attacker on a 100 megabit home connection can tie up around 32 gigabytes of server memory in roughly 20 seconds. That is enough to take many servers offline almost instantly.
Why downtime is a real business problem
It is easy to think of a website outage as a minor inconvenience. In practice, it is often much more than that.
When your site goes down, you can lose sales, bookings, and enquiries. Customers may assume you have closed or that something is wrong. If your phones, email, or internal tools rely on the same systems, your whole team can grind to a halt.
For a business that runs on its online presence, even an hour of downtime carries a real cost. That is why a flaw this easy to trigger is worth taking seriously.
Which servers are affected?
This is not a niche problem. The vulnerability affects the most widely used web server software in the world, including:
- NGINX
- Apache HTTPD
- Microsoft IIS
- Envoy
- Cloudflare Pingora
In other words, the software running a huge share of the internet is exposed in its default setup. Many Australian businesses rely on these tools, either directly or through their hosting and web providers.
What you should do now
The good news is that there are clear steps to reduce your risk. Some fixes are already available. Others are still in progress.
Here is the current picture:
- NGINX: Upgrade to version 1.29.8 or later. This adds a new limit on the number of headers, set to 1000 by default. If you cannot upgrade yet, you can turn off HTTP/2 as a temporary measure.
- Apache HTTPD: A fix is available in the updated HTTP/2 module. If you cannot update straight away, you can switch the server back to HTTP/1.1 for now.
- Microsoft IIS, Envoy and Cloudflare Pingora: At the time of writing, no patch is available. These need close monitoring until a fix arrives.
If that list already feels like a foreign language, that is completely normal. The key point is simple. You need to know whether your systems use any of this software, and whether the right fix has been applied.
A few practical questions to ask:
- Does our website or hosting use NGINX, Apache, IIS, Envoy or Cloudflare?
- Has our provider applied the available patches?
- Are we watching our servers for unusual activity or sudden outages?
If you are unsure of any answer, that uncertainty is the risk.
This is part of a bigger pattern
The HTTP/2 Bomb does not exist in isolation. We have covered several major issues in recent weeks, and together they tell a story.
For example, we wrote about the critical cPanel and WHM vulnerability that the Australian Cyber Security Centre confirmed was being actively exploited here in Australia. We also explained how attackers are hiding malicious code inside trusted developer packages that software teams use every day. And in our guide to penetration testing methods, we looked at how AI is now helping both defenders and attackers find flaws faster than ever.
The HTTP/2 Bomb fits the same trend. It was found using an AI tool. It is simple to launch. And it targets software that almost everyone uses. In short, the pace is increasing, and last year’s defences may not hold this year.
How Sentry Cyber can help
You do not need to become a security expert. You just need someone in your corner who is.
At Sentry Cyber, we help Australian businesses work out exactly where they stand. For a threat like this, that usually means a quick review of your internet facing systems and the software behind them.
Our vulnerability assessment service checks your environment for known weaknesses, including issues like the HTTP/2 Bomb. Our cyber security monitoring keeps watch for unusual activity and sudden outages, so you find out quickly if something is wrong. And our security consulting gives you ongoing expert guidance without the cost of a full time hire.
Above all, we explain everything in plain English. No jargon, no scare tactics, and no long technical report that leaves you none the wiser.
The bottom line
The HTTP/2 Bomb vulnerability is a real and active risk. It can take a website or online service offline in seconds, and it affects software used right across the internet. Some fixes are ready now. Others are not, which makes monitoring even more important.
You do not have to face this alone. Reach out for a complimentary call and we will help you work out whether your business is affected and what to do about it. There is no pressure and no jargon, just clear advice.
Book your complimentary call with Sentry Cyber today.
FAQ
What is the HTTP/2 Bomb vulnerability?
It is a newly discovered weakness in the way most web servers handle HTTP/2, the modern technology behind fast websites. It lets a single attacker overload a server with memory until the website stops responding. It affects popular software such as NGINX, Apache, Microsoft IIS, Envoy and Cloudflare Pingora.
Does the HTTP/2 Bomb steal my data?
No. It is a denial of service flaw, which means it knocks your website or service offline rather than stealing information. The damage is downtime and disruption, not data theft. However, attackers often use an outage as a distraction, so it should still be taken seriously.
How do I know if my business is affected?
You would need to know which web server software your site and hosting use, and whether the right fix has been applied. Most business owners cannot answer that on their own, and they should not have to. A quick review can confirm it for you.
My website is hosted by a provider. Am I still at risk?
Possibly. Many hosting providers run the affected software in the background. The safest approach is to contact your provider and ask whether they have patched for the HTTP/2 Bomb. If you are not getting a clear answer, we can help you check.
Is there a fix available?
Partly. NGINX and Apache have released updates. Microsoft IIS, Envoy and Cloudflare Pingora did not have a patch at the time of writing, so those systems need close monitoring until a fix arrives.
How can Sentry Cyber help with this?
We can review your internet facing systems, confirm whether you use any of the affected software, and check that the right fixes are in place. We also offer ongoing monitoring so you are alerted quickly if something goes wrong. Everything is explained in plain language. Contact us for a complimentary call to get started.