Re: [hybi] WebSocket connection throttling clarification requested

Adam Rice <ricea@google.com> Mon, 28 January 2013 05:23 UTC

Return-Path: <ricea@google.com>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D18F21F851E for <hybi@ietfa.amsl.com>; Sun, 27 Jan 2013 21:23:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.975
X-Spam-Level:
X-Spam-Status: No, score=-102.975 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100, WEIRD_PORT=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kqyMCuhkN7DU for <hybi@ietfa.amsl.com>; Sun, 27 Jan 2013 21:23:35 -0800 (PST)
Received: from mail-vb0-f51.google.com (mail-vb0-f51.google.com [209.85.212.51]) by ietfa.amsl.com (Postfix) with ESMTP id 2EC6A21F84CA for <hybi@ietf.org>; Sun, 27 Jan 2013 21:23:34 -0800 (PST)
Received: by mail-vb0-f51.google.com with SMTP id fq11so1641619vbb.10 for <hybi@ietf.org>; Sun, 27 Jan 2013 21:23:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=6a49gQlqa0MQqNMXdJliDqBaWaH9W7ROEJF4VEBCKhs=; b=XZ6EsXI5ig6/E/ge8QTRVfXYzYMha8wRm5MlHAXytmlKZdJbAtRE/SfbVH0eqviDJ1 kZwRqYhB/66NGH0a0l2kCC39Y6DQxFZBuF7dsNu/JyFwn5YluS0RoWESEwN65Os5Wkmu 5eEPA1O0JQwwY57xRwEYaZNUPFk+BKxBv0Ing4yGrr6T/YRiQzBiG7HkeI6KZpHPKEQ+ 8w401LOAdQMYMcw3ZKtDQfosuX53Y0eVrmyUU6w2+hGKwq0hFt92Wk01pyouyRpWeAJ/ y93JkZM3v/mCpdoEO4hKZ/uwZ7UPrxm33iJLqMouinJaRmm93tHOxmATped0x8Ff8xSY LmDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=6a49gQlqa0MQqNMXdJliDqBaWaH9W7ROEJF4VEBCKhs=; b=psHy38L23w+PkMwKW3GlTwhQY9ZQa1JOxTpTTW4sTtrtbURpimFcZ9D4QTwAaFy07w vvHzYSTTRUL7Tey92JlNytDKg5Wutzxr4ralhAcAOGIZMgjhOWvKtmsjoKhaOAUZP38Z XBP7Zp4pBJcc0/JcEEhL2BPz3Dip2UDWwUDKJFZK0Qp2dtcdCkLf+DoBEgtrNrHGgC1L t2PA4wccg1HimD9xxuJe1IbTv7q7KMxshC2VBMtbNRMrb6T5TyJC3bHMhwhlvF2+VJhw Bskr6kCFF7hwMM+Ei2PNfnhCtBfm3BM2NRzO7p3aZ4heR1ZPlBW+V+wB/JPvCCDX3kAt 1AGw==
MIME-Version: 1.0
X-Received: by 10.221.9.144 with SMTP id ow16mr1251499vcb.29.1359350613231; Sun, 27 Jan 2013 21:23:33 -0800 (PST)
Received: by 10.58.96.6 with HTTP; Sun, 27 Jan 2013 21:23:33 -0800 (PST)
In-Reply-To: <ckj0g8t72esjp1qlmjee7mv340r212b228@hive.bjoern.hoehrmann.de>
References: <CAHixhFp_eNG84RjbyM_9RAVR3dub3gWs6xbQH6DgJ5wA7qV0Ew@mail.gmail.com> <ckj0g8t72esjp1qlmjee7mv340r212b228@hive.bjoern.hoehrmann.de>
Date: Mon, 28 Jan 2013 14:23:33 +0900
Message-ID: <CAHixhFpnMi8FsMcGXjVDvAzK8AOTGPHkbhgOyw2Ryq+vqSfiLw@mail.gmail.com>
From: Adam Rice <ricea@google.com>
To: Bjoern Hoehrmann <derhoermi@gmx.net>
Content-Type: multipart/alternative; boundary="bcaec54a38006d499304d4527a03"
X-Gm-Message-State: ALoCoQlCV3fiNvD9x+ol4TDiLvSdalY18KiTsqn2CmSN1sfanEuqIi1sLgOtHS2lDesZcbc+j5GWPJgCuUkmG1JIm5Kprx4sykk0djJ55OZNdfDpbjWI6UZxQb5bxKhi75Jp64K67MJwq+K4uAFLTcOIHxeEZMARGZmFn0ZcJCP0wV8IlzcOgDobujSjULUMtFWtD3JejMQm
X-Mailman-Approved-At: Sun, 27 Jan 2013 21:40:14 -0800
Cc: hybi@ietf.org
Subject: Re: [hybi] WebSocket connection throttling clarification requested
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jan 2013 05:23:36 -0000

I am concerned that the "throttling is per IP address (regardless of port)"
interpretation allows for a denial of service against any host which uses
web sockets and also has a firewall policy to drop SYN packets to unused
ports.

Example:

1. attacker opens a socket to ws://google.com:81/
2. since there is no response to the TCP/IP SYN packet, the connection
hangs until it times out on the client-side.
3. The user attempts navigates to google.com in another tab, which attempts
to open a connection to ws://google.com:80/
4. If we consider port 81 and port 80 to be in the same bucket for
connection throttling, the user's legitimate connection will hang waiting
for the attacker's connection to finish.

Obviously a single connection will not hang for more than a few minutes at
most, but the attacker can open hundreds of connections, essentially
completely blocking google.com from using WebSockets for as long as the
user doesn't close the attacker's page.

Since the browser is not doing a lot of work (only sending a SYN packet
every few seconds), it remains completely responsive and from the user's
point of view it appears that google.com is simply not working.

SYN-dropping firewalls are ubiquitous among major commercial websites, and
it seems unlikely that this policy will change. I think there is a risk
that this will hurt WebSocket adoption.

I would therefore like to propose that the wording of the third paragraph
is changed from "to the same IP address" to "to the same /host/ and /port/
pair", so that this interpretation will be unambiguously endorsed.








On 24 January 2013 06:02, Bjoern Hoehrmann <derhoermi@gmx.net> wrote:

> * Adam Rice wrote:
> >I would like to ask for clarification on section 4.1 item 2 of WebSocket
> >RFC 6455. It reads (emphasis mine):
> >
> >2. If the client already has a WebSocket connection to the remote host (IP
> >address) *identified by /host/ and port /port/ pair,* even if the remote
> >host is known by another name, the client MUST wait until that connection
> >has been established or for that connection to have failed. There MUST be
> >no more than one connection in a CONNECTING state. If multiple
> connections *to
> >the same IP address* are attempted simultaneously, the client MUST
> >serialize them so that there is no more than one connection at a time
> >running through the following steps.
> >
> >The first sentence seems to imply that connections should be throttled on
> >the basis of (host, port) pairs, ie. that ws://192.0.2.1:80/ and ws://
> >192.0.2.1:81/ should be considered independent for the purposes of
> >connection throttling. The last sentence seems to imply that connections
> >should be throttled on the basis of IP address only, so connections ws://
> >192.0.2.1:80/ and ws://192.0.2.1:81/ should be placed in the same bucket
> >for throttling purposes.
>
> It seems pretty clear to me that the more conservative interpretation is
> the intended one. One reason is that there would otherwise be no limit
> on the simultaneous attempts to connect with a single IP address using
> different port numbers. It seems "identified by /host/ and port /port/
> pair" can safely be removed without replacement through errata.
> --
> Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de
> Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de
> 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
>