Forum: NGINX It's believed that SPDY is a huge DDoS vector by itself

2974d09ac2541e892966b762aad84943?d=identicon&s=25 JackB (Guest)
on 2014-01-28 13:34
(Received via mailing list)
The subject is a quote of Maxim Dounin in a discussion found here:
http://forum.nginx.org/read.php?29,246885,246902#msg-246902

It would be nice to have a detailed list of SPDY functionality that
could be
used as a DDoS vector. And it would be even better, to have an nginx
configuration example to workaround each problem without simply
disabling
features.

Last, should there be a default configuration in nginx/spdy which
prevents
the abuse for DDoS attacks?

Any thoughts?

Thanks.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,246911,246911#msg-246911
5fdada893aecf361d226b53067e276ff?d=identicon&s=25 SplitIce (Guest)
on 2014-01-28 22:00
(Received via mailing list)
I would like to second this.
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-01-29 01:32
(Received via mailing list)
I think what you both request is interesting.
However, I would like to push the analysis further.

Is seems SPDY design is flawed because it enables flexibility and offer
new
features compared to HTTP without taking into account the very basis of
a
protocol: being efficient by allowing quick and inexpensive routing of
its
packets.

Some other projects drafted towards HTTP/2.0 are made with efficiency in
mind.
One of them is called *HTTPbis* and has been first drated mid-2012 by 4
interesting guys: Willy Tarreau (HAProxy), Poul‐Henning Kamp (Varnish),
Adrien de Croy (WinGate) and Amos Jeffries (Squid).
Look at that: 1 load-balancing guy, 1 cache one and 2 proxy ones...
Those
guys definitely want to avoid leveraging (D)Dos attacks!

They coopareta with other teams (SPDY one being one of them), but I like
the approach they took at the very beginning.

Is the nginx team aware of that project?
Does it seems interesting enough so nginx could support it in the near
future? Or do you have any plans around HTTPbis?
---
*B. R.*
A08bbb8c4c6036715c506cef5e5bbe84?d=identicon&s=25 Piotr Sikora (Guest)
on 2014-01-29 01:47
(Received via mailing list)
Hey,

> Some other projects drafted towards HTTP/2.0 are made with efficiency in
> mind.
> One of them is called HTTPbis and has been first drated mid-2012 by 4
> interesting guys: Willy Tarreau (HAProxy), Poul‐Henning Kamp (Varnish),
> Adrien de Croy (WinGate) and Amos Jeffries (Squid).
> Look at that: 1 load-balancing guy, 1 cache one and 2 proxy ones... Those
> guys definitely want to avoid leveraging (D)Dos attacks!

HTTPbis isn't a protocol, it's the name of an IETF working group
responsible developing and maintaining HTTP.

What you're referring to is called "Network-Friendly HTTP Upgrade":
http://tools.ietf.org/html/draft-tarreau-httpbis-n...

But HTTPbis chose SPDY as a base for HTTP/2.0, so there is no point in
adding support for all the proposed alternatives (even if they are
indeed better).

Best regards,
Piotr Sikora
1266aa99d1601b47bbd3ec22affbb81c?d=identicon&s=25 B.R. (Guest)
on 2014-01-29 01:54
(Received via mailing list)
OK, thanks for your lights on this.

They chose to work with SPDY, right, but are their ideas being
followed-up
to SPDY?
Or will their protocol stay on a parallel path? The problem would then
be
that SPDY is backed by a major networking actor which name start with a
G...

SPDY simply can't be the best protocol without being 'Network-friendly'
(and could even be dangerous as a dormant bomb is).
---
*B. R.*
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.