Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit max reset frames to mitigate HTTP/2 RST floods #5232

Merged
merged 7 commits into from
Oct 18, 2023
Merged

Limit max reset frames to mitigate HTTP/2 RST floods #5232

merged 7 commits into from
Oct 18, 2023

Commits on Oct 11, 2023

  1. Limit max reset frames to mitigate HTTP/2 RST floods 

    Motivation:

To mitigate against the "HTTP/2 Rapid Reset" attack, it is recommended
that HTTP/2 servers should close connections that exceed the concurrent
stream limit.

Reference:

- https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/
- https://www.cve.org/CVERecord?id=CVE-2023-44487
- netty/netty@58f75f6#diff-82f568a075ff63e9727ce8622f3a2b1553099182edf1fd0b4f857226252b05adR47

Modifications:

- Add `ServerBuilder.http2MaxRestFramesPerWindow()` option
  `-Dcom.linecorp.armeria.defaultHttp2MaxResetFramesPerMinute<integer>`
  property to limit the maximum allowed RST frames.
  - If not set, 400 RST frames per minute are alllowed by default.
- Bump Netty version to 4.1.100 from 4.1.96

Result:

You can now protect your server against DDOS caused by RST floods.
```java
Server
  .builder()
  .http2MaxResetFramesPerWindow(100, 10)
  .build();
```
    @ikhoon
    ikhoon committed Oct 11, 2023
    Configuration menu
    Copy the full SHA
    df7f858 View commit details
    Browse the repository at this point in the history

  2. Fix flaky

    @ikhoon
    ikhoon committed Oct 11, 2023
    Configuration menu
    Copy the full SHA
    43ce20e View commit details
    Browse the repository at this point in the history

Commits on Oct 12, 2023

  1. of

    @ikhoon
    ikhoon committed Oct 12, 2023
    Configuration menu
    Copy the full SHA
    2663c40 View commit details
    Browse the repository at this point in the history

Commits on Oct 18, 2023

  1. Update core/src/main/java/com/linecorp/armeria/common/Flags.java 

    Co-authored-by: jrhee17 <guins_j@guins.org>
    @ikhoon @jrhee17
    ikhoon and jrhee17 authored Oct 18, 2023
    Configuration menu
    Copy the full SHA
    f84beb8 View commit details
    Browse the repository at this point in the history

  2. Update core/src/main/java/com/linecorp/armeria/common/FlagsProvider.java 

    Co-authored-by: jrhee17 <guins_j@guins.org>
    @ikhoon @jrhee17
    ikhoon and jrhee17 authored Oct 18, 2023
    Configuration menu
    Copy the full SHA
    98f0e87 View commit details
    Browse the repository at this point in the history

  3. Update core/src/main/java/com/linecorp/armeria/server/ServerBuilder.java 

    Co-authored-by: jrhee17 <guins_j@guins.org>
    @ikhoon @jrhee17
    ikhoon and jrhee17 authored Oct 18, 2023
    Configuration menu
    Copy the full SHA
    6723cc2 View commit details
    Browse the repository at this point in the history

  4. Update core/src/main/java/com/linecorp/armeria/server/ServerConfig.java

    @minwoox
    minwoox authored Oct 18, 2023
    Configuration menu
    Copy the full SHA
    1ee478b View commit details
    Browse the repository at this point in the history