W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2014

Security Condideration of initial SETTINGS_MAX_CONCURRENT_STREAMS

From: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Date: Wed, 15 Jan 2014 10:55:04 +0900
Message-ID: <52D5EA78.600@iij.ad.jp>
To: HTTP Working Group <ietf-http-wg@w3.org>
Hi,

In the current spec, an initial value of SETTINGS_MAX_CONCURRENT_STREAMS
is no limit and many of endpoints set it at the first SETTINGS.

A malicious client can send massive HEADERS without replying SETTINGS-ACK
in order to overflow server's stream sessions until SETTINGS_TIMEOUT
error or up to max stream-id.

This might be a case of ENHANCE_YOUR_CALM error as in "10.5 Denial of
Service Considerations" but some implementers would miss its protection
against DoS streams at the initial startup because they expect to receive
SETTINGS-ACK promptly and do not care that the max concurrent stream is
 unlimited.

One idea is to define an initial SETTINGS_MAX_CONCURRENT_STREAMS such as 100
which is recommended as minimum in the current spec.
Is there any reason not to define it?

If limiting of the inital value is a bad idea, it is better to write a
description in the security section to care against the DoS at the connection
startup.

Regards,
Received on Wednesday, 15 January 2014 01:55:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:23 UTC