On 15/06/2021 11:09, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 2698cfb Reduce overhead count by 2 rather than 1 for non-overhead
frames
2698cfb is described below
commit 2698cfb178b81513276e2093bf2a19e04cca1b90
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jun 14 22:12:46 2021 +0100
Reduce overhead count by 2 rather than 1 for non-overhead frames
This means that the overhead count for a well-behaved conenction should
trend downwards over time.
This changes the behaviour for the HTTP/2 overhead protection but I
intend to back-port this all the way to 8.5.x.
My reasoning is:
- the over head protection prior to recent changes was very likely to
trigger false positives - this change makes that less likely
- the change makes it much more likely that a typical HTTP/2 connection
will have an overhead count that trends down over time. This means a
connection that is mostly well-behaved will not get closed as a result
of one small instance of inefficient behaviour
- Tomcat was never susceptible to these DoS attacks so the overhead
protection is more to close down abusive clients early and save
server resources rather than to prevent a DoS. Therefore, making false
positives less likely at the slight risk of increasing false negatives
is acceptable.
- In the highly unlikely event that this is an issue for a user, the
overheadCountFactor can be used (set it to double what it is now) to
effectively undo this change
I've thought quite a bit about this over the last day or so while I have
been working on it and while I'd normally be more adverse to
back-porting this sort of change my current view is that this will be at
worst neutral for users and will be an improvement for a significant
majority of users who have enabled HTTP/2.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org