- From: Willy Tarreau <w@1wt.eu>
- Date: Fri, 2 Aug 2013 16:15:29 +0200
- To: "William Chan (?????????)" <willchan@chromium.org>
- Cc: "Scharf, Michael (Michael)" <michael.scharf@alcatel-lucent.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "tcpm@ietf.org" <tcpm@ietf.org>
Hi William, On Fri, Aug 02, 2013 at 06:51:31AM -0700, William Chan (?????????) wrote: > The short of it is, for vanilla HTTP, it's unclear how beneficial it would > be for us since we already have such gains for browser preconnect (our > browser feature that learns from past web browsing to speculatively > establish connections, typically just TCP connections but perhaps doing a > TLS or other handshakes too as needed). That's pretty interesting. Is this already enabled by default ? I'm asking because I've got several users of haproxy report me that their web site was regularly "attacked" by many connections in which no request is sent, and that because of this they had to increase the number of concurrent connections otherwise they can't stand the load. I asked if they thought it could be something like a bug in some JS application or something like this as I was no aware of the preconnect feature. It's been a bit hard to analyse, since they see no request, they can't get any information on the user agent for example. The thing is that it does not look like a regular attack since the load is more or less constant, and not very high. So till now it was always possible to work around this by increasing the connection limits 2-10 times. But now I'm thinking that *if it was a preconnect behaviour*, there could possibly be some harm there. I have no idea how many connections a browser can send to recently visited sites, but for sites which use a short keep-alive timeout to limit the concurrency, having a significant increase on the number of concurrent connections can be a problem. Note that I'm talking using a conditional form, as I can't provide evidence for this to be related to a preconnect feature, but your description really matches what I observed, and I am really wondering about the risks and possibile impacts based on something that could appear related. If the increase in connection count may be significant for small sites, then maybe TFO could be a decent alternative (though it will clearly not pass through every firewall). Best regards, Willy
Received on Friday, 2 August 2013 14:16:01 UTC