- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 6 Nov 2023 11:13:58 +0100
- To: HTTP Working Group <ietf-http-wg@w3.org>
Just a reminder -- this side meeting is happening on Thursday from 8:30-9:30am in Palmovka 1/2.
Remote details:
Zoom meeting on Nov 9, 2023 08:30 AM Prague Bratislava
Join from PC, Mac, iOS or Android: https://unimelb.zoom.us/j/87313714026?pwd=czY3TzdJdW1lQVVPYVluSUNMMjBqQT09
Password: resetreset
> On 11 Oct 2023, at 1:45 am, Mark Nottingham <mnot@mnot.net> wrote:
>
> Hi folks,
>
> By now you may have heard about (or been under) an attack that leverages HTTP/2 concurrency, CVE-2023-44487:
> https://www.cve.org/CVERecord?id=CVE-2023-44487
>
> To give some flavour of what's been happening:
> https://blog.cloudflare.com/zero-day-rapid-reset-http2-record-breaking-ddos-attack/
> https://cloud.google.com/blog/products/identity-security/google-cloud-mitigated-largest-ddos-attack-peaking-above-398-million-rps/
> https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/
>
> This is a heads-up that we'll be requesting a side meeting at IETF 118 to discuss whether any IETF work would help implementations to address this and similar attacks. The exact timing depends on room availability, but it'll likely be during the morning or lunch early in the week. Once we have a room and a time, I'll follow up.
>
> Martin has already drafted one proposal:
> https://martinthomson.github.io/h2-stream-limits/draft-thomson-httpbis-h2-stream-limits.html
>
> Other discussions might touch on whether there are other measures (protocol mechanisms or otherwise) that clients and servers can take, how concurrency is exposed to calling code, and whether we can give better guidance about how concurrency violations should be handled.
>
> Cheers,
>
>
> P.S. As a side meeting, this will not be an official WG session. However, it might inform WG discussions afterwards.
>
> --
> Mark Nottingham https://www.mnot.net/
>
>
--
Mark Nottingham https://www.mnot.net/
Received on Monday, 6 November 2023 10:14:08 UTC