-
-
Save isaacs/2b28efaa9d0b63a9926c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 97813ae58d19687f3c61f6355b4307c88908058a Mon Sep 17 00:00:00 2001 | |
From: isaacs <i@izs.me> | |
Date: Tue, 22 Oct 2013 10:56:03 -0700 | |
Subject: [PATCH] blog: HTTP server DoS vulnerability details | |
CVE-2013-4450 | |
--- | |
.../http-server-pipeline-flood-dos.md | 37 ++++++++++++++++++++++ | |
1 file changed, 37 insertions(+) | |
create mode 100644 doc/blog/vulnerability/http-server-pipeline-flood-dos.md | |
diff --git a/doc/blog/vulnerability/http-server-pipeline-flood-dos.md b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md | |
new file mode 100644 | |
index 0000000..e4a607d | |
--- /dev/null | |
+++ b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md | |
@@ -0,0 +1,37 @@ | |
+title: DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21) | |
+date: Tue Oct 22 10:42:10 PDT 2013 | |
+slug: cve-2013-4450-http-server-pipeline-flood-dos | |
+category: vulnerability | |
+ | |
+Node.js is vulnerable to a denial of service attack when a client | |
+sends many pipelined HTTP requests on a single connection, and the | |
+client does not read the responses from the connection. | |
+ | |
+We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP | |
+servers in production please update as soon as possible. | |
+ | |
+* v0.10.21 <http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/> | |
+* v0.8.26 <http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/> | |
+ | |
+This is fixed in Node.js by pausing both the socket and the HTTP | |
+parser whenever the downstream writable side of the socket is awaiting | |
+a drain event. In the attack scenario, the socket will eventually | |
+time out, and be destroyed by the server. If the "attacker" is not | |
+malicious, but merely sends a lot of requests and reacts to them | |
+slowly, then the throughput on that connection will be reduced to what | |
+the client can handle. | |
+ | |
+There is no change to program semantics, and except in the | |
+pathological cases described, no changes to behavior. | |
+ | |
+If upgrading is not possible, then putting an HTTP proxy in front of | |
+the Node.js server can mitigate the vulnerability, but only if the | |
+proxy parses HTTP and is not itself vulnerable to a pipeline flood | |
+DoS. | |
+ | |
+For example, nginx will prevent the attack (since it closes | |
+connections after 100 pipelined requests by default), but HAProxy in | |
+raw TCP mode will not (since it proxies the TCP connection without | |
+regard for HTTP semantics). | |
+ | |
+This addresses CVE-2013-4450. | |
-- | |
1.8.3.2 | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment