[ https://issues.apache.org/jira/browse/TS-4087?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15163881#comment-15163881 ]
ASF GitHub Bot commented on TS-4087: ------------------------------------ Github user bryancall commented on a diff in the pull request: https://github.com/apache/trafficserver/pull/485#discussion_r54014800 --- Diff: proxy/http2/Http2ConnectionState.cc --- @@ -1160,3 +1162,31 @@ Http2ConnectionState::send_window_update_frame(Http2StreamId id, uint32_t size) SCOPED_MUTEX_LOCK(lock, this->ua_session->mutex, this_ethread()); this->ua_session->handleEvent(HTTP2_SESSION_EVENT_XMIT, &window_update); } + +// Return min_concurrent_streams_in when current client streams number is larger than max_active_streams_in. +// Main purpose of this is preventing DDoS Attacks. +unsigned +Http2ConnectionState::_adjust_concurrent_stream() +{ + int64_t current_client_streams = 0; + RecGetRawStatSum(http2_rsb, HTTP2_STAT_CURRENT_CLIENT_STREAM_COUNT, ¤t_client_streams); --- End diff -- This is getting the total stream value across all the threads and then you are comparing it to the per thread value below. > H2 flexible resource limitation > ------------------------------- > > Key: TS-4087 > URL: https://issues.apache.org/jira/browse/TS-4087 > Project: Traffic Server > Issue Type: New Feature > Components: HTTP/2 > Reporter: Ryo Okubo > Assignee: Masaori Koshiba > Fix For: 6.2.0 > > > Current H2 implementation depends on FetchSM and PluginVC to forward > requests. But their memory footprint is very high. It may be vulnerable to > DoS attack. > As simple ways to avoid the problem, we can use two limitations, > _proxy.config.net.connections_throttle_ and > _proxy.config.http2.max_concurrent_streams_in_. But reducing number of > _proxy.config.net.connections_throttle_ causes that number of acceptable > HTTP/1.1 requests become lower. And reducing > _proxy.config.http2.max_concurrent_streams_in_ restricts benefits of H2. > I'd like to propose more flexible resource limitation for current H2 impl > based on number of active H2 streams. Its adding an upper limit of active H2 > streams. If tis exceeded, ATS send low number of > SETTINGS_MAX_CONCURRENT_STREAMS to clients and/or RST_STREAM frame. -- This message was sent by Atlassian JIRA (v6.3.4#6332)