Slow read attack in HTTP/2

Валентин Бартенев vbart at nginx.com
Fri Aug 19 13:51:59 UTC 2016


On Friday 19 August 2016 18:07:46 Sharan J wrote:
> Hi,
> 
> Thanks for the response.
> 
> Would like to know what happens in the following scenario,
> 
> Client sets its initial congestion window size to be very small and
> requests for a large data. It updates the window size everytime when it
> gets exhausted with a small increment (so send_timeout wont happen as
> writes happens always but in a very small amount). In this case won't the
> connection remain until the server flushes all the data to the client which
> has very less window size?

The same is true with HTTP/1.x, there's no difference.

> 
> If the client opens many such connections with many streams, each
> requesting for a very large data, then won't it cause DOS?
> 

You should configure other limits to prevent client from requesting
unlimited amounts of resources at the same time.

  wbr, Valentin V. Bartenev



More information about the nginx mailing list