Slow read attack in HTTP/2
Валентин Бартенев
vbart at nginx.com
Fri Aug 19 13:51:59 UTC 2016
On Friday 19 August 2016 18:07:46 Sharan J wrote:
> Hi,
>
> Thanks for the response.
>
> Would like to know what happens in the following scenario,
>
> Client sets its initial congestion window size to be very small and
> requests for a large data. It updates the window size everytime when it
> gets exhausted with a small increment (so send_timeout wont happen as
> writes happens always but in a very small amount). In this case won't the
> connection remain until the server flushes all the data to the client which
> has very less window size?
The same is true with HTTP/1.x, there's no difference.
>
> If the client opens many such connections with many streams, each
> requesting for a very large data, then won't it cause DOS?
>
You should configure other limits to prevent client from requesting
unlimited amounts of resources at the same time.
wbr, Valentin V. Bartenev
More information about the nginx
mailing list