test OOM by slow read attack

[kingluo]

part of #612

CVE-2019-9511 “Data Dribble”
CVE-2019-9517 “Internal Data Buffering”

Both attacks accumulate big responses from the backend which causes OOM.

The strange thing is, keepalive_timeout does not help, it does not reset or fin the TCP connection. For example, in “Internal Data Buffering”, the keepalive timer only stops the TCP retransmits from tempesta but does not reset the connection. I need to look into this more.

[kingluo]

There are two workarounds for this issue:

1. keepalive_timeout will send a FIN, so the downstream connection will be closed after the timeout, and the large response body received from the upstream will be discarded, so OOM is avoided.

2. set http_body_len frang limit.

But IMO, the perfect solution may be to support buffering: tempesta-tech/tempesta#498

I think it also fixes #1715.

[RomanBelozerov]

We should not use http_body_len here. This directive does not affect the slowread attack

[kingluo]

No, as said, it's one of the workarounds of slow-read attacks. Please see my description in my comment below.

[RomanBelozerov]

you set http_body_len 10**6, but attacker creates 100 streams with a body of 10**5KB. What will Tempesta's behavior be in this case? This test will not answer on my question, so I think it check nothing.

[kingluo]

http_body_len = 1MB < BODY_SIZE = 1024 * 1024 * 100 = 100MB, then the slow read attack will be broken at 10MB per stream.

[RomanBelozerov]

We plan to remove http_body_len directive for responses in 498 so I think you should not use it for these tests.

[kingluo]

I don't think we should rely on a future PR, let alone no PR schedule for tempesta-tech/tempesta#498. This test should serve as a placeholder, at least to describe the workaround, otherwise, there is no point in keeping it as it will definitely fail under the current implementation, thus blocking CI.

[krizhanovsky]

@kingluo in such cases please write comment like # TODO tempesta#498: remove the body length limit and add a comment to tempesta-tech/tempesta#498 to update the place.

Also if you see comment questions, especially with long discussions, please address them with comments in code. In this case please describe in a comment for the Tempesta configuration how does the workaround for the slow-read attack prevention actually works and reference the CVE

[kingluo]

okay. I'll add the comment.

[RomanBelozerov]

@kingluo @krizhanovsky @const-t We should not use keepalive_timeout and http_body_len:

1. http_body_len - an attacker can just request a resource with a body less then http_body_len and create a lot of streams/connections. And we cannot set a small value for this directive + it work for a response/request at the same time.
2. I think keepalive_timeout also won't help from these attacks. The attacker can consume a lot of memory in a few seconds in a lot of connections/streams. And we cannot set a small value for keepalive_timeout, right?

I think we should wait for #498 issue or make a temporary workaround.