Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
From 97813ae58d19687f3c61f6355b4307c88908058a Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Tue, 22 Oct 2013 10:56:03 -0700
Subject: [PATCH] blog: HTTP server DoS vulnerability details
CVE-2013-4450
---
.../http-server-pipeline-flood-dos.md | 37 ++++++++++++++++++++++
1 file changed, 37 insertions(+)
create mode 100644 doc/blog/vulnerability/http-server-pipeline-flood-dos.md
diff --git a/doc/blog/vulnerability/http-server-pipeline-flood-dos.md b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md
new file mode 100644
index 0000000..e4a607d
--- /dev/null
+++ b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md
@@ -0,0 +1,37 @@
+title: DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21)
+date: Tue Oct 22 10:42:10 PDT 2013
+slug: cve-2013-4450-http-server-pipeline-flood-dos
+category: vulnerability
+
+Node.js is vulnerable to a denial of service attack when a client
+sends many pipelined HTTP requests on a single connection, and the
+client does not read the responses from the connection.
+
+We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP
+servers in production please update as soon as possible.
+
+* v0.10.21 <http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/>
+* v0.8.26 <http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/>
+
+This is fixed in Node.js by pausing both the socket and the HTTP
+parser whenever the downstream writable side of the socket is awaiting
+a drain event. In the attack scenario, the socket will eventually
+time out, and be destroyed by the server. If the "attacker" is not
+malicious, but merely sends a lot of requests and reacts to them
+slowly, then the throughput on that connection will be reduced to what
+the client can handle.
+
+There is no change to program semantics, and except in the
+pathological cases described, no changes to behavior.
+
+If upgrading is not possible, then putting an HTTP proxy in front of
+the Node.js server can mitigate the vulnerability, but only if the
+proxy parses HTTP and is not itself vulnerable to a pipeline flood
+DoS.
+
+For example, nginx will prevent the attack (since it closes
+connections after 100 pipelined requests by default), but HAProxy in
+raw TCP mode will not (since it proxies the TCP connection without
+regard for HTTP semantics).
+
+This addresses CVE-2013-4450.
--
1.8.3.2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.