hyper has the settings header_read_timeout() for http1 and keep_alive_timeout() for http2.
axum_server uses the serve_connection_with_upgrades() method, which attempts to determine the http version a connection uses, by reading the first header line. As soon as the first line was received, the state machine of either http1 and http2 is entered and the corresponding timeouts apply.
Problem is: This read of the first header line doesn't use a timeout.
So the axum server can easily be DoS'd by opening 1024 tcp connections and then never closing them.
Is there a way to properly handle this attack vector without placing a reverse proxy in front?
hyper has the settings
header_read_timeout()for http1 andkeep_alive_timeout()for http2.axum_serveruses theserve_connection_with_upgrades()method, which attempts to determine the http version a connection uses, by reading the first header line. As soon as the first line was received, the state machine of either http1 and http2 is entered and the corresponding timeouts apply.Problem is: This read of the first header line doesn't use a timeout.
So the axum server can easily be DoS'd by opening 1024 tcp connections and then never closing them.
Is there a way to properly handle this attack vector without placing a reverse proxy in front?