W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2010

Re: proposal for issue #175 range flooding

From: Henrik Nordström <henrik@henriknordstrom.net>
Date: Sun, 09 May 2010 21:17:58 +0200
To: Yves Lafon <ylafon@w3.org>
Cc: ietf-http-wg@w3.org
Message-Id: <1273432678.14031.9.camel@localhost.localdomain>
tor 2010-03-25 klockan 19:34 -0400 skrev Yves Lafon:
> The proposal is to add the following text in section 7.
> (Security Considerations) of Part 5 [1]
> <<
> 7.1 Range Flooding
> 
>   Range requests containing overlapping ranges may lead to the situation
>   where a server is sending far more data than the size of the complete
>   resource representation. This can generate Denial of Service attacks.
> >>
> There are multiple ways a server can reject (or ignore the Range: header) 
> such requests, so no advice is given on how to process it.
> 
> [1] http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-09#section-7

I don't really see how this is a denial of service. Sure it may make the
server send a lot of data, but so does a pipelined chain of requests
with only marginal difference in amount of traffic the requesting client
have to send, or even a single plain request for a large object (iso
image etc).

In all three cases the server will happily fill whatever bandwidth is
available between the server & client for the duration of the requested
data.

Regards
Henri
Received on Sunday, 9 May 2010 19:18:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:18 GMT