This module performs profile-driven HTTP/2 HPACK bomb denial-of-service attacks against vulnerable servers. The module selects the requested profile and applies its default attack parameters unless PORT, CONNECTIONS or STREAMS are overridden. It verifies target reachability and, when required, records a pre-attack TCP or TLS latency baseline. It then establishes HTTP/2 sessions by negotiating h2, sending the client preface, and completing the initial SETTINGS exchange. After setup, it sends profile-specific HPACK bomb payloads through HEADERS and CONTINUATION frames across multiple streams. These payloads force the server to expand small compressed header blocks into much larger in-memory header state or repeated header reconstruction work. The attacked streams are held open for a profile-specific interval, optionally using WINDOW_UPDATE drips to keep server-side state active. Finally, the module determines success from post-attack liveness, latency degradation, or recovery behavior, depending on the selected profile. Blank parameters inherit the selected profile defaults. Most profiles require TLS plus ALPN h2 support in the runtime SSL stack. Pingora can be used over cleartext h2c by disabling USE TLS.
CVE Link
Exploit Type
Product Name