Hi Aleks,

On Tue, Aug 13, 2019 at 07:02:49PM +0000, Aleksandar Lazic wrote:
> Have anyone seen this and maybe some information is haproxy vulnerable
> against this attacks?
> https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Yes I had a look after being kindly notified by Piotr. In practice almost
all of them are irrelevant in our case, either because the processing cost
is trivial (e.g. RST_STREAM, PING, SETTINGS, empty frames...) or because
we don't have the required feature (priority, push_promise). The one I'd
like to have a deeper look at is the 1-byte window increments, which may
result in several streams to be woken up just to write one byte and wait
for the next update. It should even have a higher impact on 1.9+ than on
1.8, but nothing alarming in my opinion. We could easily mitigate this by
waiting for at least a part of the pending data to be refilled before
waking the streams up.

I'm glad some work has been done on this, as some of them were identified
and mitigated during development, others were found later during code
reviews, and all result from the difficulty to efficiently implement
certain operations, so all of them are entirely implementation-dependent,
and deserve some documentation and advices for future versions of the
HTTP spec. I hope it will encourage more work to be done in this direction,
especially on QUIC which will be even newer in terms of concepts!

> On HN is also some Info's available.
> https://news.ycombinator.com/item?id=20688178

Thanks for the link.


Reply via email to