- From: V13 <v13@v13.gr>
- Date: Fri, 10 Oct 2008 20:15:50 +0300
- To: ietf-http-wg@w3.org
Hello there, While you are at the ranges thing, I'd like to request/suggest/ask that requests with overlapping ranges be prohibited or at least deprecated. Allowing overlapping ranges permits the client side to request more data than the largest file available at the server side. It is trivial to construct a 100MB file request from 200 overlapping partial requests of a 500K file. This allows the TCP optimistic ACK attack [1] to be performed on web servers all over the world. I'm (we're) currently writting this as a paper and I'll post it here too if you like, when it is finished but until then just take my word. As far as I know this is the only known way that one can force the server side to transmit at rates much higher than the disk I/O rate (because requesting the same range takes advantage of the disk cache). When combined with persistent connections it also the only known way to infinitely request data from the server side. This gives enough time to TCP to reach its maximum transmission rate and keep that rate. For the record, we were able to force a web server to continuously transmit at 900Mbps over the Internet for more than 5 minutes (until interrupted) using just a 100Mbytes file, overlapping ranges and a persistent HTTP connection. Without overlapping ranges this wouldn't be possible. So, since there is no sane usage of overlapping ranges (as far as I can tell), they should be either forbidden or have a security note added (perhaps with a pointer to the paper - if/when published - later). [1] http://www.mail-archive.com/linux-net%40vger.kernel.org/msg01053.html
Received on Friday, 10 October 2008 17:16:33 UTC