Slow Loris

[alanhoff]

Out of curiosity, how does Rocket prevents slow loris attacks?

[corbinu]

At it's current version it is recommended to run a Rocket app behind a reverse proxy like nginx or haproxy for security reasons. Especially as an SSL terminator but also for more rare attacks like slowloris. Similar to that all PHP, Ruby, Python, and Node.js projects are recommend to run behind some other server.

[alanhoff]

Got it, thx for the reply

[Moxinilian]

Has there been an update on this situation? There seem to be no way to efficiently protect incoming data streams from slow loris attacks. Running nginx in front of Rocket is fine, but is anything planned to make Rocket resistant? Are simpler requests, without visible streams, protected by Rocket?

[jebrosen]

is anything planned to make Rocket resistant?

Nothing specifically yet. This attack, and many other connection-level issues such as keepalive and concurrent requests, will be partially or fully addressed by migrating to an async architecture, though. Let's revisit this then.

[jhpratt]

@jebrosen Is there an approximate ETA on async? I know it's a major change, so I'm certainly not expecting it any time soon.

[jebrosen]

@jhpratt The goal is to have async support in 0.5. Whether that will happen in 0.5 for sure and how soon that is depend on a lot of external factors including ongoing discussion of the async/await API in the compiler, library/ecosystem support, and time put into it. I would tentatively say "some time this year" is reasonable, though.