- From: Henrik Nordström <henrik@henriknordstrom.net>
- Date: Sun, 09 May 2010 21:17:58 +0200
- To: Yves Lafon <ylafon@w3.org>
- Cc: ietf-http-wg@w3.org
tor 2010-03-25 klockan 19:34 -0400 skrev Yves Lafon: > The proposal is to add the following text in section 7. > (Security Considerations) of Part 5 [1] > << > 7.1 Range Flooding > > Range requests containing overlapping ranges may lead to the situation > where a server is sending far more data than the size of the complete > resource representation. This can generate Denial of Service attacks. > >> > There are multiple ways a server can reject (or ignore the Range: header) > such requests, so no advice is given on how to process it. > > [1] http://tools.ietf.org/html/draft-ietf-httpbis-p5-range-09#section-7 I don't really see how this is a denial of service. Sure it may make the server send a lot of data, but so does a pipelined chain of requests with only marginal difference in amount of traffic the requesting client have to send, or even a single plain request for a large object (iso image etc). In all three cases the server will happily fill whatever bandwidth is available between the server & client for the duration of the requested data. Regards Henri
Received on Sunday, 9 May 2010 19:18:28 UTC