SearchNews recently surfaced about a new HTTP/2 denial-of-service technique dubbed the “HTTP/2 Bomb”, reported to affect a number of HTTP/2 implementations including Envoy, Apache httpd, nginx, Microsoft IIS and Cloudflare Pingora.
Reference: https://github.com/califio/publications/tree/main/MADBugs/http2-bomb
We have studied the technique and concluded that Varnish is not affected.
The attack combines an HPACK “indexed-reference bomb”, where thousands
of one-byte header references expand into a large amount of server
memory, with a zero-sized flow-control window that pins that memory in
place. Varnish is not vulnerable to the amplification that makes this
effective. As with the HTTP/2 CONTINUATION flood reported in 2024,
memory used while processing HPACK is limited to a fixed buffer size
regardless of the incoming header set, and the number of header fields
per request is strictly capped (http_max_hdr), so such a request is
rejected before any significant memory is consumed.
The zero-window behaviour is also bounded: Varnish limits how long a
stream may wait for flow-control credit (h2_window_timeout, five
seconds by default) and tears down a connection whose streams are all
starved. Because response bodies are served directly from shared,
reference-counted cache storage rather than buffered per stream, a
stalled connection holds only a small, fixed amount of memory that is
reclaimed automatically.
Please get in touch via support if you have any questions.