HTTP/2 rapid reset mitigation #344
Conversation
pjfanning
commented
Oct 29, 2023
•
pjfanning
commented
- CVE-2023-44487 #332
- adds a throttle and the connection is closed if the reset frame rate is too high
- code is largely based on suggestions from @jrudolph
- the mima filter had to be added due to the new fields in Http2Settings
- the mima check did not work so I copied over the working MiMa.scala from incubator-pekko repo
pjfanning
force-pushed
the
http2-reset-frame
branch
from
868cb91
to
4903df0
Compare
|
Thanks for setting that up and sorry for dropping the ball here. |
pjfanning
force-pushed
the
http2-reset-frame
branch
from
39b36b9
to
2556190
Compare
pjfanning
force-pushed
the
http2-reset-frame
branch
2 times, most recently
from
e271157
to
efd0bd8
Compare
pjfanning
changed the title
pjfanning
requested review from
jrudolph,
mdedetrich,
raboof,
He-Pin and
nvollmar
and removed request for
mdedetrich
pjfanning
force-pushed
the
http2-reset-frame
branch
from
94e6db5
to
ece1b14
Compare
|
@jrudolph @raboof @nvollmar @kerr @gmethvin @mdedetrich would any of you have time to review this? This is a reaction to the Akka team issuing a security warning. I would favour not getting a CVE or attaching our name to the existing CVE-2023-44487 but I'm not against it either. My priority is just to get out a release with some change. |
| case _: FrameEvent.DataFrame => 0 | ||
| case _: FrameEvent.WindowUpdateFrame => 0 // TODO: should we throttle these? | ||
| case _ => 1 | ||
| } |
There was a problem hiding this comment.
I don't know what constantFunc means. Do you mean making this a val instead of a def?
There was a problem hiding this comment.
Yes, make just like the Keep.left/right
There was a problem hiding this comment.
Is 7156492 the sort of change that you want?
http-core/src/main/scala/org/apache/pekko/http/impl/engine/http2/Http2Blueprint.scala
Outdated
Show resolved
Hide resolved
http-core/src/main/scala/org/apache/pekko/http/impl/engine/http2/Http2Blueprint.scala
Outdated
Show resolved
Hide resolved
pjfanning
force-pushed
the
http2-reset-frame
branch
from
2f404ac
to
8a529e5
Compare
There was a problem hiding this comment.
In terms of implementation I don't have too many issues however @He-Pin if you have time it would be great to address @pjfanning 's outstanding issues.
The MiMa changes definitely should go into a separate PR (which can be merged before this one at which point this PR should be rebased).
Also at the risk of bikeshedding, I would prefer if the resets-throttle-cost config was changed to reset-throttle-cost (i.e. de-pluralize the resets). To me as an english speaker "resets" sounds slightly off. This is however not a deal breaker from my side.
pjfanning
changed the title
author PJ Fanning <[email protected]> 1698583210 +0000 committer PJ Fanning <[email protected]> 1702470760 +0100 test for http2 rapid reset Co-Authored-By: Johannes Rudolph <[email protected]> Update Http2ServerSpec.scala add throttle and config Co-Authored-By: Johannes Rudolph <[email protected]> revert code format change Update Http2ServerSettings.scala Update Http2ServerSpec.scala rework test - still needs proper asserts refactor tests scalafmt Create http2-rapid-reset-configs.backwards.excludes refactor test update test add ability to disable throttle Update Http2ServerDisableResetSpec.scala use keepLeft after rapidResetMitigation Update http2-rapid-reset-configs.backwards.excludes uptake sbt-pekko-build use updated plugin refactor sbt-pekko-build 0.1.0 rename configs rename vars
pjfanning
force-pushed
the
http2-reset-frame
branch
from
bbd2833
to
d6ab487
Compare
pjfanning
changed the title
|
I think I've covered most if the review items |
pjfanning
changed the title
|
I've just noticed that this throttle breaks some of the microbenchmarks. I think the throttle might be applied to too many frame types. Running sbt from the incubator-pekko-http dir and executing This will fail with the changes in this PR but runs ok without them. The new throttle is set to fail if there are too many frames. This benchmark does not test rapid resets directly - so it appears that the new throttle is affecting too many frame types. |
|
I have changed the cost function on the frame throttle to only throttle RST frames. It may be useful to also throttle some other frame types - possibly also:
|
* Update H2ClientServerBenchmark.scala * don't throttle header frames * only throttle reset frames * rename params * Update H2ClientServerBenchmark.scala * Update Http2ServerDisableResetSpec.scala
pjfanning
changed the title
|
I changed the code so that the rapid reset check is disabled by default. Would it be possible to have this reviewed again? In the benchmark, the check does not seem to affect performance. |
How about with a configuration? |
|
These are the results of running the H2ClientServerBenchmark on my laptop (with the change in this PR, resetFrameThrottleInterval=0s means no throttle applied and is the default). As you may see there is a small impact on my laptop, 0s runs are a little faster than 1s runs. |
|
without my PR changes (ie latest main branch code) - this seems to show that the PR changes don't appear to affect performance unless you enable the throttle (non-default setting) |
| } | ||
| } | ||
|
|
||
| protected /* To make ByteFlag warnings go away */ abstract class TestSetupWithoutHandshake { |
There was a problem hiding this comment.
The comment after protected doesn't seem elegant
There was a problem hiding this comment.
this code was moved from another class - I didn't write the original comment
There was a problem hiding this comment.
yeah, Should we keep it orgin? If it's not necessary, I still hope to be able to modify it.
|
closing due to #394 |
