Mitigate slow read attacks
nateberkopec opened this issue · comments
There are two non-mutually-exclusive paths forward:
- Mitigate slow read attacks by putting responses in the Reactor loop.
- Mitigate slow read attacks through other means, e.g. limits on connection lifetime, limits on acceptable window sizes
There's a tool for reproducing this attack (and some other great info) here https://github.com/shekyan/slowhttptest/wiki
Is this attack possible even if Puma is behind Nginx?
@johnnyshields Assuming you've got nginx configured with proxy_buffering on
, then you're probably fine. Similar if you're on Heroku as the Heroku Router will buffer up to 1MiB of response for you. There's a longer discussion of this issue too.