Open kingluo opened 2 months ago
There are two workarounds for this issue:
keepalive_timeout
will send a FIN
, so the downstream connection will be closed after the timeout, and the large response body received from the upstream will be discarded, so OOM is avoided.
set http_body_len
frang limit.
But IMO, the perfect solution may be to support buffering: https://github.com/tempesta-tech/tempesta/issues/498
I think it also fixes #1715.
part of https://github.com/tempesta-tech/tempesta-test/issues/612
CVE-2019-9511 “Data Dribble” CVE-2019-9517 “Internal Data Buffering”
Both attacks accumulate big responses from the backend which causes OOM.
~The strange thing is,
keepalive_timeout
does not help, it does not reset or fin the TCP connection. For example, in “Internal Data Buffering”, the keepalive timer only stops the TCP retransmits from tempesta but does not reset the connection. I need to look into this more.~