W3C home > Mailing lists > Public > ietf-http-wg@w3.org > October to December 2011

#311: Denial of Service and Ranges

From: Mark Nottingham <mnot@mnot.net>
Date: Thu, 24 Nov 2011 15:24:56 +1100
Message-Id: <03FA54FD-6086-4C26-B169-E7CFA399442C@mnot.net>
To: HTTP Working Group <ietf-http-wg@w3.org>
Roy raised the following about p5:

Servers that support Range requests as defined by 2616 are vulnerable to denial of service attacks due to the potential presence of many small or overlapping ranges. We can fix this by adding the following requirements:

1) Clients MUST NOT send Range requests containing multiple byterange specifiers that overlap. Servers MAY coalesce such overlapping ranges into a single range, regardless of the order those ranges are specified in the Range header field, or MAY respond with a 416 or 200 status instead.

2) Clients MUST NOT send Range requests containing multiple byterange specifiers that have a gap between ranges of less than 80 bytes, since the transmission overhead of multipart/byteranges parts is generally more than 80 bytes per range and is a far more significant burden on the server than simply transmitting the gap. Servers MAY coalesce multiple ranges with gaps smaller than the size of the corresponding multipart overhead, regardless of the order that those ranges are specified in the Range header field, or MAY respond with a 416 or 200 status instead.

3) Clients that send Range requests containing multiple byterange specifiers MUST list those ranges in ascending order within the Range header field value. Servers MAY reorder multiple ranges if they are not requested in ascending order, or respond with a 416 or 200 status instead.

<http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311>

Any comments? If not, we'll incorporate into the next drafts for review.


--
Mark Nottingham   http://www.mnot.net/
Received on Thursday, 24 November 2011 04:25:29 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 27 April 2012 06:51:50 GMT