W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2008

Overlapping ranges

From: V13 <v13@v13.gr>
Date: Fri, 10 Oct 2008 20:15:50 +0300
To: ietf-http-wg@w3.org
Message-Id: <200810102015.50244.v13@v13.gr>

Hello there,

While you are at the ranges thing, I'd like to request/suggest/ask that 
requests with overlapping ranges be prohibited or at least deprecated.

Allowing overlapping ranges permits the client side to request more data than 
the largest file available at the server side. It is trivial to construct a 
100MB file request from 200 overlapping partial requests of a 500K file. This 
allows the TCP optimistic ACK attack [1] to be performed on web servers all 
over the world.

I'm (we're) currently writting this as a paper and I'll post it here too if 
you like, when it is finished but until then just take my word. As far as I 
know this is the only known way that one can force the server side to 
transmit at rates much higher than the disk I/O rate (because requesting the 
same range takes advantage of the disk cache). When combined with persistent 
connections it also the only known way to infinitely request data from the 
server side. This gives enough time to TCP to reach its maximum transmission 
rate and keep that rate.

For the record, we were able to force a web server to continuously transmit at 
900Mbps over the Internet for more than 5 minutes (until interrupted) using 
just a 100Mbytes file, overlapping ranges and a persistent HTTP connection. 
Without overlapping ranges this wouldn't be possible.

So, since there is no sane usage of overlapping ranges (as far as I can tell), 
they should be either forbidden or have a security note added (perhaps with a 
pointer to the paper - if/when published - later). 

[1] http://www.mail-archive.com/linux-net%40vger.kernel.org/msg01053.html
Received on Friday, 10 October 2008 17:16:33 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:50:56 GMT