HTTP/2 Rapid Reset

Question

DoYouKnowWhoElse opened this issue a year ago · comments

Muscle Man · Answer 1 · Sat Oct 14 2023 08:47:07 GMT+0800 (China Standard Time)

Any update?

Muscle Man · Answer 2 · Sun Oct 22 2023 21:45:54 GMT+0800 (China Standard Time)

This is urgent to be patched to be honest.

synodriver · Answer 3 · Sun Oct 22 2023 21:51:40 GMT+0800 (China Standard Time)

I suggest look into this function to see if sans-io based protocol parser actually handles this issue.

Phil Jones · Answer 4 · Mon Oct 30 2023 06:53:56 GMT+0800 (China Standard Time)

I think the correct fix is to apply a max keep alive requests. I have a patch being tested locally.

Note though I don't think Hypercorn itself is that vulnerable as resetting streams quickly isn't likely to be that costly.

Phil Jones · Answer 5 · Wed Dec 27 2023 02:38:13 GMT+0800 (China Standard Time)

Mitigation in 926c430