- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 2 Dec 2014 07:44:51 +0100
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Dec 01, 2014 at 03:29:58PM -1000, Martin Thomson wrote: > 420 Enhance Your Calm. The problem here is that there is a resource > that is committed (the socket that sites in TIME_WAIT) and no > accounting for it under the current set of resource limits (most > likely SETTINGS_MAX_CONCURRENT_STREAMS). The issue is that a regular implementation doesn't really know. In fact when it knows, it's too late :-/ > This isn't really special in that regard; I'm sure that the greater > ease with which clients can initiate requests will open other avenues > for exploitation on servers. That said, adding DoS considerations > text is easy. Yes I think that the best solution here is to just add some text so that implementers can think about it when doing the code, and possibly plan for system-dependant variants. Best regards, Willy
Received on Tuesday, 2 December 2014 06:45:16 UTC