Several bugs/problems in the DoS protection code #320
Description
mod_h2 has a built-in DoS protection feature in h2_mplx.c. I have analyzed it because of #318.
When a HTTP/2 stream reset is received, s_mplx_be_happy() is called for an "acceptable" reset. m_be_annoyed() is called for a "not acceptable" reset.
Bugs/problems:
irritations_sincehas the typeapr_uint32_t. It should be a signed integer type:irritations (>0) or happy events (<0) since last mood change. Integer underflow can happen ins_mplx_be_happy(). This bug has been introduced in commit 6963a8a.- Race condition: After
mood_update_intervalhas elapsed, it matters whether an "acceptable" or "not acceptable" reset is received.s_mplx_be_happy()andm_be_annoyed()don't check whetherirritations_sinceis< 0or> 0, the reset that has just been received matters more than all the other resets received during the interval. s_mplx_be_happy()counts "acceptable" resets only ifprocessing_limit < processing_max.m_be_annoyed()counts "not acceptable" resets only ifprocessing_limit > 2. So ifprocessing_limitis at the minimum or maximum, the counting is one-sided.s_mplx_be_happy()counts resets for connections that have started after the last "mood change",m_be_annoyed()counts resets for connections that have started at any time, so it is easier to "annoy" mod_h2 than to "make it happy".- A single "not acceptable" reset can reduce the processing limit from
H2MaxSessionStreams(e.g. 100) to 16. - The comment for
mood_update_intervalsayshow frequent we update at most, but mod_h2 may update more often: Ins_mplx_be_happy()whenirritations_since < -processing_limit, inm_be_annoyed()ifirritations_since >= processing_limit.
I propose to remove mod_h2's built-in DoS protection, because it is broken and difficult to fix, and because nghttp2 already mitigates the HTTP/2 rapid reset attack.