On June 3 (local time), U.S. security company Calif warned about a new DoS attack method called “HTTP/2 Bomb” that can overload and stop a web サーバ (saaba, server) with only a small amount of traffic. According to the company, even a home PC with a 100Mbps connection could bring a vulnerable server down in just seconds.
The news quickly spread through Japan’s tech industry. Hosting provider Sakura Internet carried out emergency メンテナンス (mentenansu, maintenance) on the night of June 4, temporarily switching its web servers from HTTP/2 to HTTP/1.1 as a protective measure.
What Is “HTTP/2 Bomb”?
The issue was discovered by OpenAI’s coding assistant tool “Codex,” according to Calif. The company says the attack targets a 脆弱性 (zeijakusei, vulnerability) in HTTP/2, a widely used web communication protocol designed to make websites load faster and more efficiently.
With about a 100Mbps connection, even a personal computer at home could force a vulnerable server offline in seconds. The attack affects major web server software and ロードバランサー (roodo baransaa, load balancer) systems, including:
- nginx
- Apache httpd
- Microsoft IIS
- Envoy
- Cloudflare Pingora
In particular, Calif states that when targeting Apache httpd or Envoy, a single client could consume and occupy 32GB of server memory in around 20 seconds.
How the Attack Works
“HTTP/2 Bomb” combines two attack techniques that have each been known for about a decade.
1. Abusing HPACK Header Compression
HTTP/2 uses a header compression method called HPACK to reduce data usage. It allows previously sent information to be referenced again with a short identifier—sometimes as small as one byte.
Attackers exploit this feature by repeatedly referencing the same information thousands of times in a single request. While the attacker sends only a tiny amount of data, the server’s memory usage multiplies thousands of times, filling up memory and exhausting resources.
2. Slowloris-Style Connection Holding
The second method is known as “Slowloris.” In this technique, the attacker deliberately avoids receiving the server’s response and keeps the connection open as long as possible.
Individually, both techniques were already known. However, Calif explains that Codex discovered that combining them allows attackers to occupy large amounts of memory for extended periods.
Sakura Internet’s Emergency Response
In Japan, Sakura Internet announced on June 5 that it had discovered a vulnerability in HTTP/2 that could allow services to be stopped by external attacks. The company confirmed that this was related to “HTTP/2 Bomb.”
On the night of June 4, Sakura implemented emergency maintenance affecting:
- “Sakura Rental Server” plans (Light, Standard, Premium, Business, Business Pro)
- All “Sakura Managed Server” plans
- All reseller-oriented rental server services
As a 暫定措置 (zantei sochi, temporary measure), the company switched from HTTP/2 to HTTP/1.1. This is an example of taking action 〜として (〜 toshite, as a measure).
Sakura noted that in some environments, page display speeds may become slightly slower under HTTP/1.1. However, browsing and site functionality would not be affected. The company plans to re-enable HTTP/2 once a permanent fix is ready.
Other companies in Japan, including GMO Internet Group (which provides Onamae.com), have also taken temporary countermeasures.
Past Large-Scale HTTP/2 Attacks
This is not the first time HTTP/2 has been linked to major attacks. In 2023, Google, Cloudflare, and Amazon disclosed massive DDoS attacks caused by the “HTTP/2 Rapid Reset Attack” (CVE-2023-44487).
Calif recommends updating to patched software versions. If updating is not possible, it advises administrators to 無効化 (mukouka, disable) HTTP/2—exactly the step Sakura Internet took.
Cultural Context: Why This Matters in Japan
Japan has a strong hosting and rental server culture. Many small businesses, creators, and developers rely on services like Sakura Internet to run websites and online shops.
Because of this, news about a serious セキュリティ (sekyuriti, security) issue spreads quickly. Companies often respond with immediate public notices and transparent explanations, especially when customer services might be affected.
You’ll also notice how many tech terms are written in katakana: サーバ, メンテナンス, ロードバランサー, and セキュリティ. Japanese IT vocabulary relies heavily on adapted English words, which makes reading tech news excellent practice for katakana mastery.
Learn Japanese from This Article
Key Vocabulary
| Japanese | Romaji | Meaning |
|---|---|---|
| セキュリティ | sekyuriti | security |
| メンテナンス | mentenansu | maintenance |
| サーバ | saaba | server |
| ロードバランサー | roodo baransaa | load balancer |
| 脆弱性 | zeijakusei | vulnerability |
| 暫定措置 | zantei sochi | temporary measure |
| 無効化 | mukouka | disable, deactivate |
Try reading this sentence:
HTTP/2に脆弱性が見つかった。 HTTP/2 ni zeijakusei ga mitsukatta. “A vulnerability was found in HTTP/2.”
Grammar Spotlight
1. 〜をきっかけに
Meaning: triggered by; taking the opportunity of
Structure: Noun + をきっかけに
Example from this case:
Califの注意喚起をきっかけに、問題が話題になった。 Calif no chuui kanki o kikkake ni, mondai ga wadai ni natta. “Triggered by Calif’s warning, the issue became widely discussed.”
You can use this pattern for personal experiences too:
日本旅行をきっかけに、日本語を勉強し始めました。 Nihon ryokou o kikkake ni, nihongo o benkyou shihajimemashita. “I started studying Japanese after my trip to Japan.”
2. 〜として
Meaning: as; in the role of; as a measure
Structure: Noun + として
Example from the article:
暫定措置として、HTTP/1.1に切り替えた。 Zantei sochi toshite, HTTP/1.1 ni kirikaeta. “They switched to HTTP/1.1 as a temporary measure.”
Another example:
エンジニアとして働いています。 Enjinia toshite hataraite imasu. “I work as an engineer.”
Useful Expression
緊急メンテナンスを実施する Kinkyuu mentenansu o jisshi suru “To carry out emergency maintenance”
This phrase appears frequently in Japanese tech announcements.
Continue Learning
Working on your reading skills? Our Katakana Essentials: Adapting Global Words to Japanese lesson is a great next step.
Ready to dive deeper? Our lesson on Basic Vocabulary Building: Embracing Words Without Latin Ties will help you master these concepts.
Want to learn more about tech? Check out our lesson on Reading and Writing in Japanese II: Hiragana and Katakana.
Security news like this might seem technical at first, but it’s actually a goldmine for real-world Japanese. By reading about セキュリティ, 脆弱性, and emergency メンテナンス, you’re learning the same vocabulary Japanese engineers and companies use every day.
これからもよろしくお願いします。 Kore kara mo yoroshiku onegaishimasu.