- From: Mark Nottingham <mnot@mnot.net>
- Date: Wed, 11 Oct 2023 10:45:13 +1100
- To: HTTP Working Group <ietf-http-wg@w3.org>
Hi folks, By now you may have heard about (or been under) an attack that leverages HTTP/2 concurrency, CVE-2023-44487: https://www.cve.org/CVERecord?id=CVE-2023-44487 To give some flavour of what's been happening: https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/ https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/ This is a heads-up that we'll be requesting a side meeting at IETF 118 to discuss whether any IETF work would help implementations to address this and similar attacks. The exact timing depends on room availability, but it'll likely be during the morning or lunch early in the week. Once we have a room and a time, I'll follow up. Martin has already drafted one proposal: https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html Other discussions might touch on whether there are other measures (protocol mechanisms or otherwise) that clients and servers can take, how concurrency is exposed to calling code, and whether we can give better guidance about how concurrency violations should be handled. Cheers, P.S. As a side meeting, this will not be an official WG session. However, it might inform WG discussions afterwards. -- Mark Nottingham https://www.mnot.net/
Received on Tuesday, 10 October 2023 23:45:22 UTC