Re: HTTP/2 DoS Vulnerability (Was: HTTP/2 response completed before its request)

In message <>, Roberto Peon writes:

>It would have been good to have had you sit in while the group involved in
>creating HTTP2 discussed DoS considerations, which have been brought up
>consistently over the course of the development of the protocol.

Yeah, well, sorry for not having a budget to spend on HTTP/2...

That said: If DoS has been brought up consistently, it seems to have
have very little to show for it.

>If we see widespread deployment of HTTP2 in the clear, it would end up
>being no worse than HTTP1 in terms of DoS potential, which is acceptable
>(if not optimal) today.

I disagree, defending non-TLS HTTP/2 against DoS attacks is going to be
(much) harder than defending HTTP/1

>In any case, your example is only useful for servers or clients which are
>not deploying over TLS.

... because TLS provides the mechanism for "proof of work" for you which
plaintext HTTP/2 lack.

>Regardless of choosing to deploy with/without TLS, when under DoS attack,
>one sets the various SETTINGS to conservative values thus, 

There is no setting for "I'm going to service only this many reqyests
so don't send any more until I increase it"

There is no setting for "I'm not accepting HEADERS longer than..."

There is no setting for "I'm not accepting CONTINUATION at all..."

So sorry, but no cigar...

>The question that should be asked is:
>How is HTTP2 worse than HTTP1 in terms of DoS?
>With HTTP2 servers can:
>  - specify a truly tiny max-state size.
>  - reduce the number of connections accepted

... but they can not limit the amount of work per connection.

>Given the ability in HTTP2 to set the amount of memory one is willing to
>consume for any connection, and that the minimum state per connection can
>be counted in a small number of ints, I think your concern doesn't have a
>lot of merit.

I'd say you're not thinking creatively enough.

But here's an idea:

1.  Set up a HTTP/2 server.

2.  Announce on Defcon that it is more resistant to DoS than a HTTP/1 server.

3.  Pop-Corn!

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.

Received on Tuesday, 1 July 2014 23:48:33 UTC