Hey Marten,
Caddy is getting some attention on HN today due to HTTP/3 being enabled by default: https://news.ycombinator.com/item?id=32768454
One of the comments asks for an implementation of RequireAddressValidation that uses better metrics. Right now we just count ServeHTTP() methods (i.e. active HTTP requests), but the commenter says:
In that case, I don't think your metric works at all, since legitimate users will increase it, but attackers won't. During an attack it will either remain the same, or even go down as fewer legitimate users manage to connect.
This attack is the QUIC equivalent of a SYN flood, which results in half-open connections, because the attacker is unable to complete the connection by responding to message the server sends. RequireAddressValidation corresponds enabling syn cookies.
Do you have any ideas for what might be a better/safer way to determine whether address validation should occur?
Thanks!
Hey Marten,
Caddy is getting some attention on HN today due to HTTP/3 being enabled by default: https://news.ycombinator.com/item?id=32768454
One of the comments asks for an implementation of RequireAddressValidation that uses better metrics. Right now we just count
ServeHTTP()methods (i.e. active HTTP requests), but the commenter says:Do you have any ideas for what might be a better/safer way to determine whether address validation should occur?
Thanks!