W3C home > Mailing lists > Public > ietf-http-wg-old@w3.org > May to August 1998

Re: Drawbacks of persistent connections

From: Jim Gettys <jg@pa.dec.com>
Date: Mon, 15 Jun 1998 10:31:25 -0700
Message-Id: <9806151731.AA11124@pachyderm.pa.dec.com>
To: "J.P. Martin-Flatin" <martin-flatin@epfl.ch>
Cc: Jim Gettys <jg@pa.dec.com>, http-wg@cuckoo.hpl.hp.com

> Sender: jpmf@tcomhp20.epfl.ch
> From: "J.P. Martin-Flatin" <martin-flatin@epfl.ch>
> Date: Mon, 15 Jun 1998 19:13:43 +0200
> To: jg@pa.dec.com (Jim Gettys)
> Cc: http-wg@cuckoo.hpl.hp.com
> Subject: Re: Drawbacks of persistent connections
> -----
> On Mon, 15 Jun 1998 09:48:50 -0700, Jim Gettys wrote:
> >
> > > Section 8.1.1 may come across as slightly biaised, because it lists
> > > only advantages of persistent connections. In practice, these are
> > > balanced by drawbacks. For instance, if the timeout value of
> > > persistent connections is larger than the TCP connection timeout,
> > > denial-of-service attacks are more effective: by using up all possible
> > > connections, a malicious user can prevent access to a targeted server
> > > for a longer period of time. Perhaps a quick mention of this issue
> > > would make sense in section 8.1.4 (Practical Considerations)?
> >
> > The denial of service attack is the same between persistent connections
> > and non-persistent connections.  I can see no difference between the
> > two situations; the attacker does exactly the same thing in either case,
> > with the same result.
> 
> Presumably, the timeout of persistent connections will be longer than the
> TCP connection timeout (that is, the recommended time to maintain TCP
> TIME_WAIT state, generally 4 minutes). So even though the technique used
> for the attack is the same, the effect will be amplified in the case of
> persistent connections with long timeouts.
> 

No, actually, most of the benefit from persistent connections appears
to be in the first 30 seconds to a minute...


I don't think many busy servers will likely keep that long a timeout,
even with persistent connections.  Mogul's research showed that most
the value for "click ahead" occurs in the first few minutes, so a reasonable
timeout for a busy server (one which will likely have to time out connections
at all) is likely shorter than the TCP TIME_WAIT state.

As I said, the attack is the same, and the effect is the same...
				- Jim
Received on Tuesday, 16 June 1998 09:21:55 EDT

This archive was generated by hypermail pre-2.1.9 : Wednesday, 24 September 2003 06:33:19 EDT