Mitigate Stream Fragmentation and Reassembly Attacks

[WesleyRosenblum]

The stream receive buffer is optimized to reduce CPU costs from frequent allocations: https://github.com/aws/s2n-quic/pull/1497. Additional mitigations may be warranted to protect against excessive memory consumption due to stream fragmentation attacks.

From 21.7. Stream Fragmentation and Reassembly Attacks in rfc9000:

QUIC deployments SHOULD provide mitigations for stream fragmentation attacks.

Mitigations could consist of:

• avoiding overcommitting memory
• limiting the size of tracking data structures
• delaying reassembly of STREAM frames
• implementing heuristics based on the age and duration of reassembly holes

[toidiu]

The application could use the following metric to determine fragmentation. However we should investigate what exactly this metric means and document it.

The mitigation to the attack would be similar to the Slowloris mitigation; using the supervisor to close the connection (https://docs.rs/s2n-quic/latest/s2n_quic/provider/event/supervisor/index.html)