Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'max_cancel_stream_rate' config for the rapid reset attack #1617

Closed
wants to merge 6 commits into from
Closed

Add 'max_cancel_stream_rate' config for the rapid reset attack #1617

wants to merge 6 commits into from

Conversation

zuiderkwast
Copy link
Contributor

Fixes #1615

bjosv
bjosv reviewed Oct 31, 2023
View reviewed changes
Copy link
Contributor

@bjosv bjosv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

src/cowboy_http2.erl Outdated Show resolved Hide resolved
essen
essen requested changes Nov 7, 2023
View reviewed changes
Copy link
Member

@essen essen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

There should also be tests similar to http2_reset_flood in security_SUITE except we would have variants of headers+rst_stream sent:

  • a test where we send many HEADERS+RST_STREAM immediately
  • a test where we send N (10?) HEADERS then N (10?) RST_STREAM, repeatedly
  • a test where we send many HEADERS at once and then all RST_STREAM

doc/src/manual/cowboy_http2.asciidoc Outdated Show resolved Hide resolved
src/cowboy_http2.erl Outdated Show resolved Hide resolved
src/cowboy_http2.erl Outdated Show resolved Hide resolved
@zuiderkwast
Copy link
Contributor Author

Fixed comments and added a test case. Please look again when you can.

@essen essen added this to the 2.11 milestone Nov 23, 2023
@essen
Copy link
Member

essen commented Dec 5, 2023

Please rebase onto current master so that CI runs properly. I am planning to do a release with this and other things soon.

@zuiderkwast
Copy link
Contributor Author

Awesome that we have a working CI. Good job!

Merge is fine since you'll do a squash-merge anyway, right?

Some test runs (but not all) failed in tracer_SUITE. Do you have a clue?

@essen
Copy link
Member

essen commented Dec 5, 2023

tracer_SUITE on master is a bug in OTP, see erlang/otp#7926

I'd prefer a non-merge rebase but don't worry about it I'll deal with it.

@essen
Copy link
Member

essen commented Dec 6, 2023

Merged, thanks!

@essen essen closed this Dec 6, 2023
@zuiderkwast zuiderkwast deleted the rapid-reset-attack branch December 6, 2023 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bjosv bjosv bjosv left review comments

@essen essen essen requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.11
Development

Successfully merging this pull request may close these issues.

Is Cowboy affected by the HTTP/2 Rapid Reset attack?
3 participants
@zuiderkwast @essen @bjosv