On 15/06/2021 11:09, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
      new 2698cfb  Reduce overhead count by 2 rather than 1 for non-overhead 
frames
2698cfb is described below

commit 2698cfb178b81513276e2093bf2a19e04cca1b90
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jun 14 22:12:46 2021 +0100

     Reduce overhead count by 2 rather than 1 for non-overhead frames
This means that the overhead count for a well-behaved conenction should
     trend downwards over time.

This changes the behaviour for the HTTP/2 overhead protection but I intend to back-port this all the way to 8.5.x.

My reasoning is:

- the over head protection prior to recent changes was very likely to
  trigger false positives - this change makes that less likely

- the change makes it much more likely that a typical HTTP/2 connection
  will have an overhead count that trends down over time. This means a
  connection that is mostly well-behaved will not get closed as a result
  of one small instance of inefficient behaviour

- Tomcat was never susceptible to these DoS attacks so the overhead
  protection is more to close down abusive clients early and save
  server resources rather than to prevent a DoS. Therefore, making false
  positives less likely at the slight risk of increasing false negatives
  is acceptable.

- In the highly unlikely event that this is an issue for a user, the
  overheadCountFactor can be used (set it to double what it is now) to
  effectively undo this change


I've thought quite a bit about this over the last day or so while I have been working on it and while I'd normally be more adverse to back-porting this sort of change my current view is that this will be at worst neutral for users and will be an improvement for a significant majority of users who have enabled HTTP/2.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to