- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Tue, 17 Jul 2012 10:49:03 +0000
- To: "Adrien de Croy" <adrien@qbik.com>
- cc: "Amos Jeffries" <squid3@treenet.co.nz>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
In message <emc7be1028-2d4d-4336-b386-fbf9464e9559@reboist>, "Adrien de Croy" w rites: >I agree, and actually I'd be keen to apply this philosphy in both=20 >directions, where no significant resource is transmitted in either=20 >direction without the recipient indicating prior willingness (either by=20 >requesting it, or indicating willingness). What I'm getting at here is=20 >large POST / PUT requests. Currently it's a mess esp with auth in the=20 >mix. Assuming HTTP/2.0 gets good mux/pipe-lining, I would like to propose a default limit of max one connection from each client to each server, until the server transmit a permission to open multiple parallel connections. This would take serious steam out of DoS attaks, without affecting legitimate users. A similar approach could be used for request body size: A default hard limit of X bytes, until the server gives you permission for more. I know of no web services where you send a 4GB POST point blank, and certainly none where doing an intial "HEAD /" would be an unbearble cost. This would also seriously disarm the DoS bots. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Tuesday, 17 July 2012 10:49:26 UTC