Hi Aleks, On Tue, Aug 13, 2019 at 07:02:49PM +0000, Aleksandar Lazic wrote: > Have anyone seen this and maybe some information is haproxy vulnerable > against this attacks? > > https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
Yes I had a look after being kindly notified by Piotr. In practice almost all of them are irrelevant in our case, either because the processing cost is trivial (e.g. RST_STREAM, PING, SETTINGS, empty frames...) or because we don't have the required feature (priority, push_promise). The one I'd like to have a deeper look at is the 1-byte window increments, which may result in several streams to be woken up just to write one byte and wait for the next update. It should even have a higher impact on 1.9+ than on 1.8, but nothing alarming in my opinion. We could easily mitigate this by waiting for at least a part of the pending data to be refilled before waking the streams up. I'm glad some work has been done on this, as some of them were identified and mitigated during development, others were found later during code reviews, and all result from the difficulty to efficiently implement certain operations, so all of them are entirely implementation-dependent, and deserve some documentation and advices for future versions of the HTTP spec. I hope it will encourage more work to be done in this direction, especially on QUIC which will be even newer in terms of concepts! > On HN is also some Info's available. > > https://news.ycombinator.com/item?id=20688178 Thanks for the link. Cheers, Willy