It's believed that SPDY is a huge DDoS vector by itself

The subject is a quote of Maxim D. in a discussion found here:
http://forum.nginx.org/read.php?29,246885,246902#msg-246902

It would be nice to have a detailed list of SPDY functionality that
could be
used as a DDoS vector. And it would be even better, to have an nginx
configuration example to workaround each problem without simply
disabling
features.

Last, should there be a default configuration in nginx/spdy which
prevents
the abuse for DDoS attacks?

Any thoughts?

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,246911,246911#msg-246911

I would like to second this.

I think what you both request is interesting.
However, I would like to push the analysis further.

Is seems SPDY design is flawed because it enables flexibility and offer
new
features compared to HTTP without taking into account the very basis of
a
protocol: being efficient by allowing quick and inexpensive routing of
its
packets.

Some other projects drafted towards HTTP/2.0 are made with efficiency in
mind.
One of them is called HTTPbis and has been first drated mid-2012 by 4
interesting guys: Willy Tarreau (HAProxy), Poul‐Henning Kamp (Varnish),
Adrien de Croy (WinGate) and Amos Jeffries (Squid).
Look at that: 1 load-balancing guy, 1 cache one and 2 proxy ones…
Those
guys definitely want to avoid leveraging (D)Dos attacks!

They coopareta with other teams (SPDY one being one of them), but I like
the approach they took at the very beginning.

Is the nginx team aware of that project?
Does it seems interesting enough so nginx could support it in the near
future? Or do you have any plans around HTTPbis?

B. R.

OK, thanks for your lights on this.

They chose to work with SPDY, right, but are their ideas being
followed-up
to SPDY?
Or will their protocol stay on a parallel path? The problem would then
be
that SPDY is backed by a major networking actor which name start with a
G…

SPDY simply can’t be the best protocol without being ‘Network-friendly’
(and could even be dangerous as a dormant bomb is).

B. R.

Hey,

Some other projects drafted towards HTTP/2.0 are made with efficiency in
mind.
One of them is called HTTPbis and has been first drated mid-2012 by 4
interesting guys: Willy Tarreau (HAProxy), Poul‐Henning Kamp (Varnish),
Adrien de Croy (WinGate) and Amos Jeffries (Squid).
Look at that: 1 load-balancing guy, 1 cache one and 2 proxy ones… Those
guys definitely want to avoid leveraging (D)Dos attacks!

HTTPbis isn’t a protocol, it’s the name of an IETF working group
responsible developing and maintaining HTTP.

What you’re referring to is called “Network-Friendly HTTP Upgrade”:
http://tools.ietf.org/html/draft-tarreau-httpbis-network-friendly-00

But HTTPbis chose SPDY as a base for HTTP/2.0, so there is no point in
adding support for all the proposed alternatives (even if they are
indeed better).

Best regards,
Piotr S.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs