- From: Adrien de Croy <adrien@qbik.com>
- Date: Sun, 04 Aug 2013 00:00:40 +0000
- To: "Willy Tarreau" <w@1wt.eu>, "William Chan (?????????)" <willchan@chromium.org>
- Cc: "Scharf, Michael (Michael)" <michael.scharf@alcatel-lucent.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, "tcpm@ietf.org" <tcpm@ietf.org>
we get tech support queries about this as well... "what are all these connections without a URL showing in activity". Nice little tech support ticket generator feature. We figured it was pre-emtive connecting, since eventually a request may be made on the connection. ------ Original Message ------ From: "Willy Tarreau" <w@1wt.eu> To: "William Chan (?????????)" <willchan@chromium.org> Cc: "Scharf, Michael (Michael)" <michael.scharf@alcatel-lucent.com>; "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>; "tcpm@ietf.org" <tcpm@ietf.org> Sent: 3/08/2013 2:15:29 a.m. Subject: Re: Feedback on TCP Fast Open? >Hi William, > >On Fri, Aug 02, 2013 at 06:51:31AM -0700, William Chan (?????????) >wrote: >> The short of it is, for vanilla HTTP, it's unclear how beneficial it >>would >> be for us since we already have such gains for browser preconnect >>(our >> browser feature that learns from past web browsing to speculatively >> establish connections, typically just TCP connections but perhaps >>doing a >> TLS or other handshakes too as needed). > >That's pretty interesting. Is this already enabled by default ? I'm >asking >because I've got several users of haproxy report me that their web site >was >regularly "attacked" by many connections in which no request is sent, >and >that because of this they had to increase the number of concurrent >connections >otherwise they can't stand the load. I asked if they thought it could >be >something like a bug in some JS application or something like this as I >was >no aware of the preconnect feature. It's been a bit hard to analyse, >since >they see no request, they can't get any information on the user agent >for >example. The thing is that it does not look like a regular attack since >the >load is more or less constant, and not very high. So till now it was >always >possible to work around this by increasing the connection limits 2-10 >times. > >But now I'm thinking that *if it was a preconnect behaviour*, there >could >possibly be some harm there. I have no idea how many connections a >browser >can send to recently visited sites, but for sites which use a short >keep-alive >timeout to limit the concurrency, having a significant increase on the >number >of concurrent connections can be a problem. > >Note that I'm talking using a conditional form, as I can't provide >evidence >for this to be related to a preconnect feature, but your description >really >matches what I observed, and I am really wondering about the risks and >possibile impacts based on something that could appear related. If the >increase in connection count may be significant for small sites, then >maybe >TFO could be a decent alternative (though it will clearly not pass >through >every firewall). > >Best regards, >Willy > >
Received on Sunday, 4 August 2013 00:01:13 UTC