- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Fri, 11 Jul 2014 13:00:55 -0700
- To: Jason Greene <jason.greene@redhat.com>
- Cc: Greg Wilkins <gregw@intalio.com>, Jeff Pinner <jpinner@twitter.com>, HTTP Working Group <ietf-http-wg@w3.org>
On 11 July 2014 12:54, Jason Greene <jason.greene@redhat.com> wrote: > The DOS attack is the amount of memory allocated per incomplete request. The server can track that, and it can easily RST_STREAM when it detects there is too much. That's true for your implementation, but I know that others may prefer a simpler formulation: work out available resources, work out what a single connection can use, divide. That way, you can do things like better isolate bad behaviour on one connection from others (though you lose some scaling advantage, sure). Having the transitory header processing costs for each connection be based on a multiple of the stream concurrency limit - even if it's worst case - will make that harder.
Received on Friday, 11 July 2014 20:01:26 UTC