1. Forum
  2. tqwNet
  3. TQW GENTECH

  • OpenAIs Codex helps discover HTTP/2 Bomb DoS attack that can nuke

    From TechnologyDaily@1337:1/100 to All on Thursday, June 04, 2026 21:15:25
    OpenAIs Codex helps discover HTTP/2 Bomb DoS attack that can nuke over 30GB
    of RAM within seconds, knocking web servers offline before they can react

    Date:
    Thu, 04 Jun 2026 20:10:00 +0000

    Description:
    A new attack technique affects HTTP/2 configurations of major web servers,
    but some have released patches already.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter New DoS technique dubbed HTTP/2 Bomb Exploits compression and flowcontrol stalling Major web servers
    confirmed vulnerable We can thank AI for a new denial-of-service (DoS) technique that can knock a server offline in mere seconds, using nothing but
    a single computer with a 100 Mbps connection.

    Earlier this week, cybersecurity researchers Calif disclosed discovering a
    new DoS technique called HTTP/2 Bomb. They used OpenAIs Codex software agent to discover it, saying it combines two previously known HTTP/2 DoS methods: the HPACK compression amplification, and Slowloris-style resource retention via HTTP/2 flow-control stalling. Simply put, the attack tricks a web server into reserving large amounts of memory while sending very little data. The attacker exploits a feature in HTTP/2 that allows small requests to expand into much larger amounts of data inside the server, forcing it to allocate memory. Latest Videos From Watch full video here: Proof of Concept released Normally, that memory would be released after processing the request.
    However, the attacker then uses a separate HTTP/2 feature to keep the connection open indefinitely. As more malicious requests arrive, memory usage grows fast, until the server slows down and ultimately crashes.

    Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. You may like Security researchers track record-breaking 2Tbps DDoS attack Security experts discover critical flaw in OpenAI's Codex able to compromise entire organizations The poison pill that malicious bots can't digest

    According to CyberInsider , the affected products "power a significant
    portion of the web", suggesting that the risk is quite extensive. Some have already issued a patch, while others remain vulnerable. Keep track of your servers configurations for incoming updates.

    A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds, the researchers said Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners
    or sponsors By submitting your information you agree to the Terms &
    Conditions and Privacy Policy and are aged 16 or over.

    Current defenses are powerless against HTTP/2 Bomb, it was further explained. Limits on the total decoder header size, for example, doesnt work since
    header values used in the attack are miniscule.

    Technical details will be released later this month, it was said, but Calif already released a proof-of-concept (PoC).

    Calif says the technique works on HTTP/2 configurations of major web servers, including NGINX, Apache HTTP Server, Microsoft IIS, Envoy, and Cloudflare Pingora. Some have already issued a patch, while others remain vulnerable. Keep track of your servers configurations for incoming updates. What to read next Claude Mythos turns years of security research into 20-hour AI exploits Patch window is officially dead as AI finds bugs faster than humans can
    squash them New 'scareware' attack hits 2.8 million victims, pretending to lock them out of your browser

    A home computer on a 100Mbps connection can render a vulnerable server inaccessible within seconds. Against Apache httpd and Envoy, a single client can consume and hold 32GB of server memory in roughly 20 seconds, the researchers said

    Current defenses are powerless against HTTP/2 Bomb, it was further explained. Limits on the total decoder header size, for example, doesnt work since
    header values used in the attack are miniscule.

    Technical details will be released later this month, it was said, but Calif already released a proof-of-concept (PoC).

    Via BleepingComputer The best antivirus for all budgets Our top picks, based on real-world testing and comparisons

    Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/openais-codex-helps-discover-http-2-bom b-dos-attack-that-can-nuke-over-30gb-of-ram-within-seconds-knocking-web-server s-offline-before-they-can-react


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)