Join GitHub today
http2: mitigate reported DoS attacks #29122
@addaleax Hi Anna, i don't know if this the right place to ask about this (quite a few commits for http2 went into the 10.16.3 LTS).
Was there any "behavior" change when it comes to
I traced it down to
I handle the error gracefully but what happens is that the application enters a weird
No errors (that i can see have been risen on the active http2session), so in the future when application calls the
This effectively blocks the app from sending out any requests from that point onward.
Is there any additional documentation/article where i could read up upon the http/2 error flow?
Thank you for your time
Hi @cTn-dev, thanks for commenting here!
The changes here affect both client and server side in the same way.
That means you’re likely exceeding some of the limits which have been introduced or changed here. Does running
I’m guessing that when a limit is exceeded, attempting to open more streams is also going to fail – it’s hard to tell without knowing more about what happens.
I am under that same impression, yes.
If these errors are for specific streams, the HTTP/2 session should generally remain usable, but I guess that depends on what the other side does exactly.
Maybe somebody in @nodejs/http2 knows more about this?
Having a reproduction, or at least a better understanding of the usage pattern, would probably indeed help figure out what the right behavior is here?
Security fixes are always going to be a bit unfortunate in that they land in LTS releases without a baking-in phase and are mostly developed without community input, so there’s always a higher chance of unintended breakage.