Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

h2: Add a rate limit facility for h/2 RST handling ("Rapid reset" mitigation) #3997

Merged
merged 3 commits into from
Oct 17, 2023
Merged

h2: Add a rate limit facility for h/2 RST handling ("Rapid reset" mitigation) #3997

merged 3 commits into from
Oct 17, 2023

Conversation

daghf
Copy link
Member

@daghf daghf commented Oct 12, 2023

This adds parameters h2_rst_allowance and h2_rst_allowance_period, which govern the rate of which we allow clients to reset h/2 streams.

If the limit is exceeded the connection is closed.

The functionality is currently disabled by default (h2_rst_allowance = 0). This is the kind of mitigation that will always need refinement, so it might be hard to come up with a one-size-fits-all kind of default here. It needs to be generous enough to not impact regular traffic, while at the same time low enough to meaningfully mitigate malicious clients. We may come up with some sort of generous number here, and give a recommendation for users to tune this down if under attack.

Mitigates: #3996

@TomasKorbar
Copy link

Hi @daghf, i think default 3600 resets per minute is pretty generous while keeping varnish relatively safe. I tested that this limit keeps memory consumption at acceptable values during rapid reset attack. As you said, if the server is under attack, admins can restrict this to a lower value.

@dridi
Copy link
Member

dridi commented Oct 16, 2023

@TomasKorbar thank you for the early testing. Could you please test it in conjunction with #3998 ?

@TomasKorbar
Copy link

@dridi sure. Give me some time please.

@dridi dridi mentioned this pull request Oct 16, 2023
Closed
@nigoroll nigoroll mentioned this pull request Oct 16, 2023
Merged
@daghf daghf force-pushed the h2_rst_allowance branch 3 times, most recently from 4d540b4 to 392a551 Compare October 17, 2023 11:42
@daghf
h2: Add a rate limit facility for h/2 RST handling
a6a5cd5 
This adds parameters h2_rst_allowance and h2_rst_allowance_period,
which govern the rate of which we allow clients to reset h/2 streams.

If the limit is exceeded the connection is closed.

Mitigates: varnishcache#3996
@daghf
Introduce RAPID_RESET as a sess_close reason
7236bc0
@daghf
Add param h2_rapid_reset
e5c5abf 
Only RST frames received earlier than this duration will be considered
rapid.
@daghf daghf merged commit a896031 into varnishcache:master Oct 17, 2023
1 check passed
@daghf daghf deleted the h2_rst_allowance branch October 17, 2023 13:58
@daghf daghf restored the h2_rst_allowance branch October 17, 2023 13:58
This was referenced Oct 18, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nigoroll nigoroll nigoroll approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@daghf @TomasKorbar @dridi @nigoroll