On Tue, Oct 10, 2023 at 07:23:25PM +0000, Tristan wrote:
> Thanks for looking into it, Willy :-)

You're welcome. Actually last week I ran some tests *exactly* on this,
thinking that it was the same principle as leaving orphaned sockets
when you're limited on FDs. That's how I discovered the pool bug I
mentioned the other day related to my recent change in -dev (that I
still need to fix). I thought that it would be interesting to run a
similar test on other stacks, but being busy on other more serious
stuff and not being good at installing and testing software, I went
back to my usual activities. I was aware that something was going to
be announced without knowing what the problem was so I thought it was
really not worth wasting more time on an issue if one was going to
appear anyway, likely in the same area. I wouldn't have imagined it
was exactly that one, though as it didn't look harmful enough
(otherwise I would have fixed it last week and it could have looked
like a leak for those working on theirs). But you can now understand
better why I was particularly interested in having a deeper look into
it now that we had the details ;-)

> > On 10 Oct 2023, at 19:24, Willy Tarreau <w...@1wt.eu> wrote:
> >  [...]
> > But for now if you site requires any of this, I can't see how it has not
> > experienced weekly outages from standard attacks.
> 
> Funny that you mention this; bit out of topic but we had enjoyed a relatively
> peaceful 2023 for the most part, after some law enforcement operations last
> December/January. [1]
> 
> But things are picking up pace again since mid-summer, and this is indeed
> just one of what feels like a new attack method a week that we hear of or
> have the displeasure to receive...
> Though most seem to be either L4 or non-HTTP L7.

One important thing when you're sure you're dealing with targetted attacks
is that you must not discuss them publicly, or you're giving a lot of info
to your attackers about what you identify and how you're going to mitigate
them. Sometimes you may even have to manually switch between an efficient
config and a more robust one (the ".if" in the config sometimes help for
this). I just hope you won't need that as it's quite annoying when it
happens.

> > As Tristan mentioned, lowering tune.h2.be.max-concurrent-streams may
> > also slow them down but it will also slow down some sites with many
> > objects (think shops with many images). For a long time the high
> > parallelism of H2 was sold as a huge differentiator, I don't feel like
> > starting to advertise lowering it now.
> 
> For others that may be tempted to copypaste it and seeing errors, I think you
> meant tune.h2.fe.max-... (emphasis on « fe »)

Hehe indeed, I copy-pasted it from the doc but picked the wrong one! Thanks
for correcting me!

> > There are lots of other interesting attacks on the H2 protocol, that
> > can be triggered just with a regular client with low timeouts, with low
> > stream windows (use h2load -w 1 to have fun), zero-window during transfers,
> > and even playing with one-byte continuation frames that may force some
> > components to perform reallocations and copies.
> 
> Are protections for these baked into the defaults/protocol or is there some
> reading+tweaking one could consider for hardening purposes? As in even at the
> cost of compatibility with « odd » clients.

A bit of everything I would say. The implementation, the protocol, the
timeouts, some possibilities with some rules when dealing with specific
attacks, etc. The one about the small windows is more annoying. I've
been thinking several times about whether we should implement a setting
to reject connections with too small initial windows, but such approaches
can also easily be worked around by the attacker accepting to download
the initial data. What matters is always what it costs to the attacker
to take you down. With small windows, the impact is only higher CPU
usage and it still requires high bandwidth and low latency with the
attacker. And when bandwidth and low latency are present, then attacks
can switch to SSL keying which is quite cheap for a client. The H2 small
windows attacks are not very different from L4 attacks advertising very
small TCP MSS actually. Sometimes it's also when facing such corner
cases that are difficult to address in one or another context that we
decide that we need to add a new tunable. I just prefer to refrain from
doing so until really necessary, in order to limit the complexity of
counter-measures when they're needed!

Cheers,
Willy

Reply via email to