W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks

From: James M Snell <jasnell@gmail.com>
Date: Fri, 26 Apr 2013 10:54:33 -0700
Message-ID: <CABP7RbdscuxpBBQp1ydSQUri0Bg_aGSbm-ftF9Jnc-p_1DqnFg@mail.gmail.com>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
https://github.com/http2/http2-spec/issues/80#issuecomment-17089487

In the current draft (-02), we say that Unknown and unrecognized Frame
types MUST be ignored by an endpoint. While this is ok in theory, this
can be very dangerous in practice. Specifically, an attacking sender
could choose to flood a recipient with a high number of junk frames
that use a previously unused type code. Because of the MUST IGNORE
rule, these would simply be discarded by the recipient but the damage
will already have been done. Flow control actions could help mitigate
the problem, but those are only partially effective.

Also, the order of processing here for error handling is not clear.

Let's say an attacker sends a HEADERS frame to the server initiating a
stream. The server sends an RST_STREAM REFUSED_STREAM fully closing
the stream. The attacker continues to send JUNK frames for the same
stream ID. There are two conditions happening here:

1. The sender is sending frames for a closed stream, which ought to
result in an RST_STREAM, but..

2. The frame type is unknown and unrecognized by the server so MUST be ignored.

Which condition takes precedence and how do we mitigate the possible
attack vector on this one.

- James
Received on Friday, 26 April 2013 17:55:20 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:12 UTC