- From: Poul-Henning Kamp <phk@phk.freebsd.dk>
- Date: Tue, 01 Jul 2014 23:48:09 +0000
- To: Roberto Peon <grmocg@gmail.com>
- cc: Jeff Pinner <jpinner@twitter.com>, Johnny Graettinger <jgraettinger@chromium.org>, William Chan (ιζΊζ) <willchan@chromium.org>, Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <mcmanus@ducksong.com>, Jesse Wilson <jesse@swank.ca>, HTTP Working Group <ietf-http-wg@w3.org>
In message <CAP+FsNdAmQbzSnNE9CHM8i1j6oyJ194HnVVm=UxZRT1AhpGUAw@mail.gmail.com>, Roberto Peon writes: >It would have been good to have had you sit in while the group involved in >creating HTTP2 discussed DoS considerations, which have been brought up >consistently over the course of the development of the protocol. Yeah, well, sorry for not having a budget to spend on HTTP/2... That said: If DoS has been brought up consistently, it seems to have have very little to show for it. >If we see widespread deployment of HTTP2 in the clear, it would end up >being no worse than HTTP1 in terms of DoS potential, which is acceptable >(if not optimal) today. I disagree, defending non-TLS HTTP/2 against DoS attacks is going to be (much) harder than defending HTTP/1 >In any case, your example is only useful for servers or clients which are >not deploying over TLS. ... because TLS provides the mechanism for "proof of work" for you which plaintext HTTP/2 lack. >Regardless of choosing to deploy with/without TLS, when under DoS attack, >one sets the various SETTINGS to conservative values thus, There is no setting for "I'm going to service only this many reqyests so don't send any more until I increase it" There is no setting for "I'm not accepting HEADERS longer than..." There is no setting for "I'm not accepting CONTINUATION at all..." So sorry, but no cigar... >The question that should be asked is: >How is HTTP2 worse than HTTP1 in terms of DoS? >With HTTP2 servers can: > - specify a truly tiny max-state size. > - reduce the number of connections accepted ... but they can not limit the amount of work per connection. >Given the ability in HTTP2 to set the amount of memory one is willing to >consume for any connection, and that the minimum state per connection can >be counted in a small number of ints, I think your concern doesn't have a >lot of merit. I'd say you're not thinking creatively enough. But here's an idea: 1. Set up a HTTP/2 server. 2. Announce on Defcon that it is more resistant to DoS than a HTTP/1 server. 3. Pop-Corn! -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.
Received on Tuesday, 1 July 2014 23:48:33 UTC