Slow read attack in HTTP/2

Валентин Бартенев vbart at
Fri Aug 19 13:51:59 UTC 2016

On Friday 19 August 2016 18:07:46 Sharan J wrote:
> Hi,
> Thanks for the response.
> Would like to know what happens in the following scenario,
> Client sets its initial congestion window size to be very small and
> requests for a large data. It updates the window size everytime when it
> gets exhausted with a small increment (so send_timeout wont happen as
> writes happens always but in a very small amount). In this case won't the
> connection remain until the server flushes all the data to the client which
> has very less window size?

The same is true with HTTP/1.x, there's no difference.

> If the client opens many such connections with many streams, each
> requesting for a very large data, then won't it cause DOS?

You should configure other limits to prevent client from requesting
unlimited amounts of resources at the same time.

  wbr, Valentin V. Bartenev

More information about the nginx mailing list