W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2014

Re: HTTP/2 DoS Vulnerability (Was: HTTP/2 response completed before its request)

From: Poul-Henning Kamp <phk@phk.freebsd.dk>
Date: Tue, 01 Jul 2014 23:48:09 +0000
To: Roberto Peon <grmocg@gmail.com>
cc: Jeff Pinner <jpinner@twitter.com>, Johnny Graettinger <jgraettinger@chromium.org>, William Chan (ι™ˆζ™Ίζ˜Œ) <willchan@chromium.org>, Martin Thomson <martin.thomson@gmail.com>, Patrick McManus <mcmanus@ducksong.com>, Jesse Wilson <jesse@swank.ca>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <17791.1404258489@critter.freebsd.dk>
In message <CAP+FsNdAmQbzSnNE9CHM8i1j6oyJ194HnVVm=UxZRT1AhpGUAw@mail.gmail.com>, Roberto Peon writes:

>It would have been good to have had you sit in while the group involved in
>creating HTTP2 discussed DoS considerations, which have been brought up
>consistently over the course of the development of the protocol.

Yeah, well, sorry for not having a budget to spend on HTTP/2...

That said: If DoS has been brought up consistently, it seems to have
have very little to show for it.

>If we see widespread deployment of HTTP2 in the clear, it would end up
>being no worse than HTTP1 in terms of DoS potential, which is acceptable
>(if not optimal) today.

I disagree, defending non-TLS HTTP/2 against DoS attacks is going to be
(much) harder than defending HTTP/1

>In any case, your example is only useful for servers or clients which are
>not deploying over TLS.

... because TLS provides the mechanism for "proof of work" for you which
plaintext HTTP/2 lack.

>Regardless of choosing to deploy with/without TLS, when under DoS attack,
>one sets the various SETTINGS to conservative values thus, 

There is no setting for "I'm going to service only this many reqyests
so don't send any more until I increase it"

There is no setting for "I'm not accepting HEADERS longer than..."

There is no setting for "I'm not accepting CONTINUATION at all..."

So sorry, but no cigar...

>The question that should be asked is:
>How is HTTP2 worse than HTTP1 in terms of DoS?
>With HTTP2 servers can:
>  - specify a truly tiny max-state size.
>  - reduce the number of connections accepted

... but they can not limit the amount of work per connection.

>Given the ability in HTTP2 to set the amount of memory one is willing to
>consume for any connection, and that the minimum state per connection can
>be counted in a small number of ints, I think your concern doesn't have a
>lot of merit.

I'd say you're not thinking creatively enough.

But here's an idea:

1.  Set up a HTTP/2 server.

2.  Announce on Defcon that it is more resistant to DoS than a HTTP/1 server.

3.  Pop-Corn!

Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.
Received on Tuesday, 1 July 2014 23:48:33 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 30 March 2016 09:57:08 UTC