DoS countermeasures

[main--]

Our service is incredibly vulnerable to slowloris-style attacks:

• Acquire 3 queue tickets
• Wait until it's your turn
• Start sending a binary frame
• Just stop and don't send anything while still responding to TCP keepalives; alternatively send empty continuation frames or whatever. Just make sure no actual demo data arrives

Result: Demo uploads are blocked entirely. No one can upload anything because you occupy all 3 upload slots.

---

The Problem: Timeouts are either too short and kill users with slow internet or too long, so a variant of the attack where you send one byte at a time, just within the timeout is still super effective.

[moritzuehling]

Idea: No timeouts, but you need to send 1kb/s on average in the last 5 seconds.

[moritzuehling]

No really a problem until a ddos hits us I guess. Closing it.