[PATCH] SPDY/3.1 protocol implementation

Maxim Dounin mdounin at mdounin.ru
Tue Jan 28 10:05:53 UTC 2014


Hello!

On Mon, Jan 27, 2014 at 03:42:26PM -0800, Piotr Sikora wrote:

> Hey Valentin,
> 
> > Current receiving flow control implementation is pretty simple and effective:
> > we allow browser to send as much data as it wants.  That's why it is hardcoded
> > to the maximum value.
> >
> > (...)
> >
> > No, it's actually browser's will to properly prioritize POST requests.
> 
> But now you're relying on the browser to do the right thing vs forcing
> the correct behavior via SPDY's flow control.
> 
> > The receiving flow control has two uses for server:
> 
> I'd argue that making sure that requests are multiplexed is also a
> valid use case ;)
> 
> In any case, I'd prefer if this would be configureable value.
> 
> Also, it seems that we should be forcing minimum value for the
> client's window size, otherwise client can set window size to 2 bytes
> and make nginx return thousands of DATA frames and use way too many
> resources to serve a small static page (same is true for Google's &
> Twitter's web servers). This could be a huge (D)DoS-vector.

It's believed that SPDY is a huge DDoS vector by itself.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list