W3C home > Mailing lists > Public > ietf-http-wg@w3.org > April to June 2013

Re: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of Service Attacks

From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 26 Apr 2013 11:37:07 -0700
Message-ID: <CABkgnnVp9FO8pSAD3DDtVzU0bCCDhPdx_+L5nY4SpvNFzYxO_w@mail.gmail.com>
To: James M Snell <jasnell@gmail.com>
Cc: Mike Bishop <Michael.Bishop@microsoft.com>, HTTP Working Group <ietf-http-wg@w3.org>
The Security Considerations sounds like a good place to put something
like that.  Chances are, the text will say something like "that's bad
man, but it's your problem, deal with it".

On 26 April 2013 11:34, James M Snell <jasnell@gmail.com> wrote:
> In my experience,  it's usually better to be a bit more prescriptive in how
> to deal with potential security issues if you want people to do it correctly
> ;-).  Simply saying, "well, that's a bad man but it's your problem, deal
> with it"  isn't quite enough.
>
> On Apr 26, 2013 11:28 AM, "Martin Thomson" <martin.thomson@gmail.com> wrote:
>>
>> Let me know if the text in the current draft leaves that unclear Mike.
>>
>> For the rest of this issue, I don't see this as a problem that
>> specifications can address.
>>
>> If your implementation is ignoring these frames in every sense of the
>> word, then you are in trouble.  If someone wants to willfully ignore
>> RST_STREAM, send more frames than your flow control window allows, or
>> any of these nasty sorts of things, then they are a bad person and you
>> should be prepared to treat them accordingly.
>>
>> On 26 April 2013 11:08, Mike Bishop <Michael.Bishop@microsoft.com> wrote:
>> > I raised a related issue with Martin, that the FINAL flag is valid in
>> > these ignored frames, and the ordering of those rules could lead to
>> > disagreement between the peers whether a given stream has been half-closed
>> > or not.  We might simply modify the text to say that the payload and
>> > frame-specific flags must be ignored, not the entire frame per se.
>> >
>> > -----Original Message-----
>> > From: James M Snell [mailto:jasnell@gmail.com]
>> > Sent: Friday, April 26, 2013 10:55 AM
>> > To: ietf-http-wg@w3.org
>> > Subject: Design Issue: Unknown Frame Type MUST IGNORE rule and Denial of
>> > Service Attacks
>> >
>> > https://github.com/http2/http2-spec/issues/80#issuecomment-17089487
>> >
>> > In the current draft (-02), we say that Unknown and unrecognized Frame
>> > types MUST be ignored by an endpoint. While this is ok in theory, this can
>> > be very dangerous in practice. Specifically, an attacking sender could
>> > choose to flood a recipient with a high number of junk frames that use a
>> > previously unused type code. Because of the MUST IGNORE rule, these would
>> > simply be discarded by the recipient but the damage will already have been
>> > done. Flow control actions could help mitigate the problem, but those are
>> > only partially effective.
>> >
>> > Also, the order of processing here for error handling is not clear.
>> >
>> > Let's say an attacker sends a HEADERS frame to the server initiating a
>> > stream. The server sends an RST_STREAM REFUSED_STREAM fully closing the
>> > stream. The attacker continues to send JUNK frames for the same stream ID.
>> > There are two conditions happening here:
>> >
>> > 1. The sender is sending frames for a closed stream, which ought to
>> > result in an RST_STREAM, but..
>> >
>> > 2. The frame type is unknown and unrecognized by the server so MUST be
>> > ignored.
>> >
>> > Which condition takes precedence and how do we mitigate the possible
>> > attack vector on this one.
>> >
>> > - James
>> >
>> >
>> >
Received on Friday, 26 April 2013 18:37:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:10 UTC