Hello,
FYI there is a new HTTP/2 (HPACK) attack against servers/proxies: https://blog.calif.io/p/codex-discovered-a-hidden-http2-bomb > HPACK Indexed Reference Bomb: seed the dynamic table > with one header, then emit thousands of 1-byte indexed > references to it. Each reference costs the attacker one wire > byte and the server anywhere from ~70 bytes (nginx, IIS, > Pingora) to ~4,000 bytes (Apache httpd, Envoy) of allocation. > > HTTP/2 Window Stall: advertise a zero-byte flow-control window > so the server can never finish sending its response, then drip > 1-byte WINDOW_UPDATE frames to keep resetting the send > timeout, pinning every allocation in memory for as long as the > server's timeout allows. Haproxy is not mentioned in this article; I'm not sure if we are affected or not. cheers, lukas
