W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2009

Re: #131: Connection limits (proposal)

From: Adrien de Croy <adrien@qbik.com>
Date: Mon, 19 Oct 2009 20:11:49 +1300
Message-ID: <4ADC1135.7050209@qbik.com>
To: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
CC: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>

William A. Rowe, Jr. wrote:
> Adrien de Croy wrote:
>>> This does not address my specific concern, which is to beat into the implementors
>>> heads not to aggressively retry parallel connections where none will be permitted;
>> Do we therefore need some wording on how a client should detect such
>> cases, and respond?  E.g. since there's no specific status code for a
>> rejection based on number of concurrent connections, it would at best be
>> an assumption that this is occuring.   I agree hammering away would be
>> problematic.
> The larger issue is that server implementors (rightfully) do proceed to blacklist the
> relevant IP addresses as abusive, whether at the firewall/load balancer or http server
> demarcation.  My comment was ment to illustrate that this behavior is correct, and
> that the client behavior is invalid.
but the client in this case - what is the chance of it being a 
human-operated browser?

I've seen cases where the server starts responding with a 503 (google 
maps does this if you scroll around for too long).

If the connection rate is deemed high enough to be a DOS attack, that is 
a different issue - one I'd be reluctant to try and address in HTTP.

If there will be no response to the client, I think all bets are off, 
but which clients are we talking about?  Custom attack clients?  They 
will ignore any requirement they like anyway.

Otherwise if a site blacklists an IP due to bona fide human activity, I 
would argue perhaps the threshold is too low.  People can create other 
problems by setting arbitrary limits, arbitrarily deciding what 
constitutes abuse vs acceptable use etc.

None of these I believe would be solved by a recommendation in HTTP though?

> We can't implement a server response code to a dropped/refused connection; it is up
> to the client to determine that a second/third/fourty-fifth connection is unwelcome
> and stay at level or back off from consuming excessive services.

I think this could be solved with a status code.  Disconnecting at a 
firewall gives an ambiguous message.

Adrien de Croy - WinGate Proxy Server - http://www.wingate.com
Received on Monday, 19 October 2009 07:08:27 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:10:52 UTC