Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate slow read attacks #3110

Open
nateberkopec opened this issue Mar 29, 2023 · 3 comments
Open

Mitigate slow read attacks #3110

nateberkopec opened this issue Mar 29, 2023 · 3 comments
Labels
feature

Comments

@nateberkopec
Copy link
Member

There are two non-mutually-exclusive paths forward:

  • Mitigate slow read attacks by putting responses in the Reactor loop.
  • Mitigate slow read attacks through other means, e.g. limits on connection lifetime, limits on acceptable window sizes

There's a tool for reproducing this attack (and some other great info) here https://github.com/shekyan/slowhttptest/wiki
@johnnyshields
Copy link
Contributor

Is this attack possible even if Puma is behind Nginx?

@stevenharman
Copy link
Contributor

@johnnyshields Assuming you've got nginx configured with proxy_buffering on, then you're probably fine. Similar if you're on Heroku as the Heroku Router will buffer up to 1MiB of response for you. There's a longer discussion of this issue too.

@MSP-Greg
Copy link
Member

Also, https://blog.qualys.com/vulnerabilities-threat-research/2012/01/05/slow-read

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@johnnyshields @stevenharman @nateberkopec @MSP-Greg