W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2012

Re: Re[4]: HTTP2 Expression of Interest : Squid

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Tue, 17 Jul 2012 10:49:03 +0000
To: "Adrien de Croy" <adrien@qbik.com>
cc: "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <74652.1342522143@critter.freebsd.dk>
In message <emc7be1028-2d4d-4336-b386-fbf9464e9559@reboist>, "Adrien de Croy" w
rites:

>I agree, and actually I'd be keen to apply this philosphy in both=20
>directions, where no significant resource is transmitted in either=20
>direction without the recipient indicating prior willingness (either by=20
>requesting it, or indicating willingness).  What I'm getting at here is=20
>large POST / PUT requests.  Currently it's a mess esp with auth in the=20
>mix.

Assuming HTTP/2.0 gets good mux/pipe-lining, I would like to propose
a default limit of max one connection from each client to each server,
until the server transmit a permission to open multiple parallel
connections.

This would take serious steam out of DoS attaks, without affecting
legitimate users.

A similar approach could be used for request body size:  A default
hard limit of X bytes, until the server gives you permission for more.

I know of no web services where you send a 4GB POST point blank, and
certainly none where doing an intial "HEAD /" would be an unbearble
cost.

This would also seriously disarm the DoS bots.


-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Tuesday, 17 July 2012 10:49:26 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 17 July 2012 10:49:32 GMT