The companies said that a bug in the HTTP/2 protocol allowed threat actors a fresh angle for overwhelming websites with a flood of traffic, making them temporarily unavailable to users.