Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lacking commentary on denial of service #22

Open
LPardue opened this issue May 8, 2024 · 0 comments · May be fixed by #28
Open

Lacking commentary on denial of service #22

LPardue opened this issue May 8, 2024 · 0 comments · May be fixed by #28
Assignees

Comments

@LPardue
Copy link
Collaborator

LPardue commented May 8, 2024

At the May interim I mentioned something about how many implementations or deployments optimise of lowest energy state, picking the more-straightforward way to do things such as ordering in a natural sequence rather than an unpredictable one.

Extensibility, greasing and variability are also vectors for abuse and there are serious DoS considerations that we don't really cover. For example, HTTP/3 Section 10.5 includes this text

The ability to send undefined protocol elements that the peer is required to ignore can be abused to cause a peer to expend additional processing time. This might be done by setting multiple undefined SETTINGS parameters, unknown frame types, or unknown stream types. Note, however, that some uses are entirely legitimate, such as optional-to-understand extensions and padding to increase resistance to traffic analysis.

snip

All these features -- i.e., server push, unknown protocol elements, field compression -- have legitimate uses.
These features become a burden only when they are used unnecessarily or to excess.
An endpoint that does not monitor such behavior exposes itself to a risk of denial-of-service attack. Implementations SHOULD track the use of these features and set limits on their use. An endpoint MAY treat activity that is suspicious as a connection error of type H3_EXCESSIVE_LOAD, but false positives will result in disrupting valid connections and requests.

Since these recommendations are loose, there is a potential risk that "too much" greasing or variability can trigger issues that are not otherwise seen but the definition of "too much" is opaque and very specific to each implementation or deployment.

LPardue added a commit that referenced this issue Jul 26, 2024
@LPardue LPardue linked a pull request Jul 26, 2024 that will close this issue
@LPardue LPardue self-assigned this Jul 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant