- From: Mark Nottingham <mnot@mnot.net>
- Date: Sat, 14 Oct 2023 11:05:43 +1100
- To: HTTP Working Group <ietf-http-wg@w3.org>
- Message-Id: <1A1B95FF-4E42-4274-A455-8672A8989F43@mnot.net>
I've reserved Palmovka 1/2 on Thursday, 9 November from 8:30-9:30am. Remote participation details to follow. Cheers,
> On 11 Oct 2023, at 10:45 am, Mark Nottingham <mnot@mnot.net> wrote: > > Hi folks, > > By now you may have heard about (or been under) an attack that leverages HTTP/2 concurrency, CVE-2023-44487: > https://www.cve.org/CVERecord?id=CVE-2023-44487 > > To give some flavour of what's been happening: > https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/ > https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/ > https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/ > > This is a heads-up that we'll be requesting a side meeting at IETF 118 to discuss whether any IETF work would help implementations to address this and similar attacks. The exact timing depends on room availability, but it'll likely be during the morning or lunch early in the week. Once we have a room and a time, I'll follow up. > > Martin has already drafted one proposal: > https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html > > Other discussions might touch on whether there are other measures (protocol mechanisms or otherwise) that clients and servers can take, how concurrency is exposed to calling code, and whether we can give better guidance about how concurrency violations should be handled. > > Cheers, > > > P.S. As a side meeting, this will not be an official WG session. However, it might inform WG discussions afterwards. > > -- > Mark Nottingham https://www.mnot.net/ > > -- Mark Nottingham https://www.mnot.net/
Attachments
- text/calendar attachment: HTTP_Concurrency_Side_Meeting.ics
Received on Saturday, 14 October 2023 00:05:53 UTC