"?> Re: Header compression: buffer management from Poul-Henning Kamp on 2013-03-22 (ietf-http-wg@w3.org from January to March 2013)

W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Re: Header compression: buffer management

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Fri, 22 Mar 2013 07:38:24 +0000
To: James M Snell <jasnell@gmail.com>
cc: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>, ietf-http-wg@w3.org
Message-ID: <2940.1363937904@critter.freebsd.dk>
In message <CABP7RbdL=cV2qSMBA3Me65T8tGaU3p9F5Wc690Jqk7q8xk_=iw@mail.gmail.com>
, James M Snell writes:

>I've briefly looked at this and it definitely is a challenge.  With delta,
>we at least have the benefit of allowing the decompressor to set an upper
>bound on stored state size,  but even that can be problematic under heavy
>load and does not completely resolve the issue.  For instance,  a malicious
>client could potentially send hundreds of junk headers frames intentionally
>designed to make the decompressor do significant extra work managing it's
>internal buffers.

Any request-response protocol is more or less vulnerable in this respect.

There are basically two things you can do to mitigate:

1) Severely circumscribe the first request on a connection.  This vastly
   increases the attackers cost of attack and makes sure that the server
   can scrutinize the first request for signs of malicious behaviour.

2) Make sure that the first request becomes available progressively
   to enable similar heuristics on the fly.

I think #1 is far preferable to #2, as a matter of usability for
the people writing the non-client code, but if done right #2 is a
workable solution.

One way to implement #1 is to specify that the first request, however
encoded, compressed or serialized, cannot be bigger than N bytes
on the wire.  For instance setting N to 8192.

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Friday, 22 March 2013 07:38:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:10 UTC