Thanks for looking into it, Willy :-) > On 10 Oct 2023, at 19:24, Willy Tarreau <w...@1wt.eu> wrote: > […] > But for now if you site requires any of this, I can't see how it has not > experienced weekly outages from standard attacks.
Funny that you mention this; bit out of topic but we had enjoyed a relatively peaceful 2023 for the most part, after some law enforcement operations last December/January. [1] But things are picking up pace again since mid-summer, and this is indeed just one of what feels like a new attack method a week that we hear of or have the displeasure to receive… Though most seem to be either L4 or non-HTTP L7. > As Tristan mentioned, lowering tune.h2.be.max-concurrent-streams may > also slow them down but it will also slow down some sites with many > objects (think shops with many images). For a long time the high > parallelism of H2 was sold as a huge differentiator, I don't feel like > starting to advertise lowering it now. For others that may be tempted to copypaste it and seeing errors, I think you meant tune.h2.fe.max-… (emphasis on « fe ») > There are lots of other interesting attacks on the H2 protocol, that > can be triggered just with a regular client with low timeouts, with low > stream windows (use h2load -w 1 to have fun), zero-window during transfers, > and even playing with one-byte continuation frames that may force some > components to perform reallocations and copies. Are protections for these baked into the defaults/protocol or is there some reading+tweaking one could consider for hardening purposes? As in even at the cost of compatibility with « odd » clients. Regards, Tristan [1] https://krebsonsecurity.com/2022/12/six-charged-in-mass-takedown-of-ddos-for-hire-sites/
