fix(server): start header read timeout immediately #3185
Conversation
seanmonstar
force-pushed
the
server-headers-timeout-start-immediately
branch
from
f46fc9f
to
36a24e7
Compare
|
I ran into this Today. Anything blocking this? |
|
A comment on the linked issue gave me pause. I started looking in other libraries, and for instance in Go, they use a cc @sfackler, you've asked often about idle and read timeouts. |
|
I would interpret the time before the first byte of the header is read as idle time rather than read-header time, yeah. You can already make a wrapper around a Hyper Connection + handler service that tracks idle timeouts but it's a huge PITA. Having a built in feature for that would definitely be a good idea given that it's a pretty universal thing to want in servers. |
|
FWIW the documentation on
+1 to using the same timeout such that a longer time budget helps both idle connections and slow header connections but does not help malicious connections (which idle and then slowly send headers) last twice as long. |
|
I forgot about this and made my own PR. Without this change, hyper is vulnerable to malicious actors who may just open connections and never send anything. I'd love a idle timeout functionality, but that's a lot more involved afaict. To be honest, I was planning on just using this "fixed" header timeout behaviour in addition to a "idle timeout" in my Reading headers is the very first stage of a new HTTP 1 connection and it makes sense to me that it would timeout if |
|
Would a different config please everybody? Maybe |
I think, from talking to several people, many find it clearer for there to be a separate timeout. So yea, something like |
|
This is a restatement of #3185 (comment) with additional details.
Clarity aside, isn't it the case that splitting one timeout into two timeouts could make DoS twice as effective? For example, assume 99.99% of legitimate clients will send a header consisting of multiple TCP segments, and may occasionally experience up to 5000ms of latency/congestion e.g. due to being on a cellular data connection. If there was one timeout, it could be 5000ms. As such, an adversary must transmit the entire header in 4750ms for a good chance keeping the connection open. If there were two timeouts, both of them would have to be 5000ms, because the congestion could occur either before or during the header transmission. As such, an adversary could wait 4750ms before sending the first segment and then an additional 4750ms before sending the rest of the header, keeping the connection open for twice as long. By Little's Law, doubling the lifetime of a connection means there will be double the number of active connections, per unit of potentially-firewall-limited adversary bandwidth. This could double the impact of a DoS attack on OS and server process resources. (that said, having a timeout is infinitely better than not having one. the two-timeout approach is probably good enough for me) |
seanmonstar
force-pushed
the
server-headers-timeout-start-immediately
branch
5 times, most recently
from
c787877
to
534a1f6
Compare
The `http1_header_read_timeout` used to start once there was a single read of headers. This change makes it start the timer immediately, right when the connection is estabilished.
seanmonstar
force-pushed
the
server-headers-timeout-start-immediately
branch
from
534a1f6
to
25a4abf
Compare
|
I've since decided to re-open this and merge. While some libraries do have a separate timeout options, none of them seem to use the idle timeout for the very first request. Any concern of a browser preconnect not working isn't a concern to any other implementation, and that makes sense: if a browser looks like a bad guy, it should stop that. |
The
http1_header_read_timeoutused to start once there was a single read of headers. This change makes it start the timer immediately, right when the connection is estabilished.Closes #3178
cc @paolobarbolini @silence-coding @SylvainGarrigues