- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 11 Jul 2014 12:03:21 -0700
- To: Jason Greene <jason.greene@redhat.com>
- Cc: Greg Wilkins <gregw@intalio.com>, Jeff Pinner <jpinner@twitter.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 11 July 2014 11:45, Jason Greene <jason.greene@redhat.com> wrote: > This is the flaw: > > "1) Stalling a connection by never finishing the sending of a full set of headers. > > I don't find #1 interesting, since the attacker is mostly just attacking > themselves" > > If you coalesce connections there are N users per connection. Thats a real problem you can’t just wave away. No, that is still right. You are mounting the DoS on yourself. Your N users can blame you, not the protocol. If it were possible to stream small bits of messages (as we can do for DATA) and the real subject of Roberto's analysis weren't a problem (it is), then you might be able to stream onto a shared resource and get away with it. As a practical matter, I don't believe that streaming into a shared connection is advisable. Still, the real issue is the one I quoted: forcing an implementation to hold multiple partially complete header sets open is a superb DoS vector. Better than the HOL blocking we've been talking about, which can be easily contained.
Received on Friday, 11 July 2014 19:03:52 UTC