Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

h2: Add a rate limit facility for h/2 RST handling ("Rapid reset" mitigation) #3997

Merged
merged 3 commits into from
Oct 17, 2023

Conversation

daghf
Copy link
Member

@daghf daghf commented Oct 12, 2023

This adds parameters h2_rst_allowance and h2_rst_allowance_period, which govern the rate of which we allow clients to reset h/2 streams.

If the limit is exceeded the connection is closed.

The functionality is currently disabled by default (h2_rst_allowance = 0). This is the kind of mitigation that will always need refinement, so it might be hard to come up with a one-size-fits-all kind of default here. It needs to be generous enough to not impact regular traffic, while at the same time low enough to meaningfully mitigate malicious clients. We may come up with some sort of generous number here, and give a recommendation for users to tune this down if under attack.

Mitigates: #3996

@TomasKorbar
Copy link

Hi @daghf, i think default 3600 resets per minute is pretty generous while keeping varnish relatively safe. I tested that this limit keeps memory consumption at acceptable values during rapid reset attack. As you said, if the server is under attack, admins can restrict this to a lower value.

@dridi
Copy link
Member

dridi commented Oct 16, 2023

@TomasKorbar thank you for the early testing. Could you please test it in conjunction with #3998 ?

@TomasKorbar
Copy link

@dridi sure. Give me some time please.

daghf added 3 commits October 17, 2023 15:26
This adds parameters h2_rst_allowance and h2_rst_allowance_period,
which govern the rate of which we allow clients to reset h/2 streams.

If the limit is exceeded the connection is closed.

Mitigates: varnishcache#3996
Only RST frames received earlier than this duration will be considered
rapid.
@daghf daghf merged commit a896031 into varnishcache:master Oct 17, 2023
1 check passed
@daghf daghf deleted the h2_rst_allowance branch October 17, 2023 13:58
@daghf daghf restored the h2_rst_allowance branch October 17, 2023 13:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants