Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[HTTP/2] extend flood protection to upstream servers #12281

Closed
yanavlasov opened this issue Jul 24, 2020 · 3 comments · Fixed by #14443
Closed

[HTTP/2] extend flood protection to upstream servers #12281

yanavlasov opened this issue Jul 24, 2020 · 3 comments · Fixed by #14443
Assignees
@yanavlasov
Labels
area/http enhancement Feature requests. Not bugs or questions. no stalebot Disables stalebot from closing an issue untrusted-upstreams Required before considering upstreams untrusted

Comments

@yanavlasov
Copy link
Contributor

yanavlasov commented Jul 24, 2020
edited

Flood protection checks are currently enabled in downstream (server) codecs. These checks need to be extended to the upstream client codecs as well to allow Envoy to work with untrusted upstream servers.

Depends on #12280
Sub-task of #12278
@yanavlasov yanavlasov self-assigned this Jul 24, 2020
@yanavlasov yanavlasov added area/http enhancement Feature requests. Not bugs or questions. no stalebot Disables stalebot from closing an issue labels Jul 24, 2020
@antoniovicente
Copy link
Contributor

While we're at it, we should rethink how flood protection is implemented. We have seen that throwing an exception when triggering the flood condition is risky.

#11370 may be the best way to address data frame flooding cases. Control frame flooding requires more thought.

@htuch htuch added the untrusted-upstreams Required before considering upstreams untrusted label Sep 1, 2020
@yanavlasov yanavlasov mentioned this issue Oct 22, 2020
Merged
@yanavlasov
Copy link
Contributor Author

Upstream flood and abuse checks will be implemented in the following steps:

  1. Add upstream flood and abuse checks to the client codec, protected by a runtime flag, disabled by default. (see PR#13635)
  2. Implement all tests for all relevant upstream flood/abuse cases
  3. Flip the upstream checks to be enabled by default, and runtime flag to disable them.
  4. Remove the flag altogether after deprecation period.

@yanavlasov
Copy link
Contributor Author

yanavlasov commented Oct 22, 2020
edited

Tests that need to be implemented for upstream flood/abuse checks. Test names come from the http2_flood_integration_tests test suite

@asraa asraa mentioned this issue Oct 27, 2020
Merged
@adisuissa adisuissa mentioned this issue Nov 16, 2020
Merged
@asraa asraa mentioned this issue Nov 19, 2020
Merged
This was referenced Dec 8, 2020
Merged
Merged
@yanavlasov yanavlasov mentioned this issue Dec 16, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yanavlasov yanavlasov

Labels
area/http enhancement Feature requests. Not bugs or questions. no stalebot Disables stalebot from closing an issue untrusted-upstreams Required before considering upstreams untrusted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

http2: Flip the upstream H2 frame flood and abuse checks to ON by default yanavlasov/envoy
3 participants
@yanavlasov @htuch @antoniovicente