diff options
author | isaacs <i@izs.me> | 2013-10-22 10:56:03 -0700 |
---|---|---|
committer | isaacs <i@izs.me> | 2013-10-22 10:56:03 -0700 |
commit | 97813ae58d19687f3c61f6355b4307c88908058a (patch) | |
tree | 227aca924ef0566439f367b84e45007c50356c77 | |
parent | 028e524bce9e361dc0f10e3f235c91862ba5ec67 (diff) | |
download | node-new-97813ae58d19687f3c61f6355b4307c88908058a.tar.gz |
blog: HTTP server DoS vulnerability details
CVE-2013-4450
-rw-r--r-- | doc/blog/vulnerability/http-server-pipeline-flood-dos.md | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/doc/blog/vulnerability/http-server-pipeline-flood-dos.md b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md new file mode 100644 index 0000000000..e4a607d7a9 --- /dev/null +++ b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md @@ -0,0 +1,37 @@ +title: DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21) +date: Tue Oct 22 10:42:10 PDT 2013 +slug: cve-2013-4450-http-server-pipeline-flood-dos +category: vulnerability + +Node.js is vulnerable to a denial of service attack when a client +sends many pipelined HTTP requests on a single connection, and the +client does not read the responses from the connection. + +We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP +servers in production please update as soon as possible. + +* v0.10.21 <http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/> +* v0.8.26 <http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/> + +This is fixed in Node.js by pausing both the socket and the HTTP +parser whenever the downstream writable side of the socket is awaiting +a drain event. In the attack scenario, the socket will eventually +time out, and be destroyed by the server. If the "attacker" is not +malicious, but merely sends a lot of requests and reacts to them +slowly, then the throughput on that connection will be reduced to what +the client can handle. + +There is no change to program semantics, and except in the +pathological cases described, no changes to behavior. + +If upgrading is not possible, then putting an HTTP proxy in front of +the Node.js server can mitigate the vulnerability, but only if the +proxy parses HTTP and is not itself vulnerable to a pipeline flood +DoS. + +For example, nginx will prevent the attack (since it closes +connections after 100 pipelined requests by default), but HAProxy in +raw TCP mode will not (since it proxies the TCP connection without +regard for HTTP semantics). + +This addresses CVE-2013-4450. |