Allow an HTTP/2 server to be protected against MadeYouReset attacks

Motivation:

HTTP/2 servers can be vulnerable to MadeYouReset attacks, to protect against this attach Netty can detect a RST flood attack and close the connection in response.

Changes:

Configure the HTTP/2 server connection builder encoder RST flood protection with the same setting than the decoder RST flood protection.

In addition ignore headers frame when the server has received or sent a go away to avoid creating un-necessary request handler calls.

Author: vietj

vertx-core/pom.xml

@@ -44,57 +44,70 @@
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-common</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-buffer</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-transport</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-handler</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-handler-proxy</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec-http</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec-http2</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-resolver</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-resolver-dns</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-codec-haproxy</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
       <optional>true</optional>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-transport-classes-epoll</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
       <optional>true</optional>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-transport-classes-io_uring</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
       <optional>true</optional>
     </dependency>
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-transport-classes-kqueue</artifactId>
+      <version>4.2.4.Final-SNAPSHOT</version>
       <optional>true</optional>
     </dependency>
 
@@ -865,12 +878,14 @@
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-epoll</artifactId>
           <classifier>linux-x86_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-io_uring</artifactId>
           <classifier>linux-x86_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
       </dependencies>
@@ -889,12 +904,14 @@
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-epoll</artifactId>
           <classifier>linux-x86_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-io_uring</artifactId>
           <classifier>linux-x86_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
       </dependencies>
@@ -913,12 +930,14 @@
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-epoll</artifactId>
           <classifier>linux-aarch_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-io_uring</artifactId>
           <classifier>linux-aarch_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
       </dependencies>
@@ -937,12 +956,14 @@
           <groupId>io.netty</groupId>
           <artifactId>netty-resolver-dns-native-macos</artifactId>
           <classifier>osx-x86_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-kqueue</artifactId>
           <classifier>osx-x86_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
       </dependencies>
@@ -961,12 +982,14 @@
           <groupId>io.netty</groupId>
           <artifactId>netty-resolver-dns-native-macos</artifactId>
           <classifier>osx-aarch_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
         <dependency>
           <groupId>io.netty</groupId>
           <artifactId>netty-transport-native-kqueue</artifactId>
           <classifier>osx-aarch_64</classifier>
+          <version>4.2.4.Final-SNAPSHOT</version>
           <scope>test</scope>
         </dependency>
       </dependencies>

vertx-core/src/main/java/io/vertx/core/http/impl/HttpServerConnectionInitializer.java

@@ -91,6 +91,8 @@ public class HttpServerConnectionInitializer {
         streamContextSupplier,
         connectionHandler,
         HttpUtils.fromVertxInitialSettings(true, options.getInitialSettings()),
+        options.getHttp2RstFloodMaxRstFramePerWindow(),
+        options.getHttp2RstFloodWindowDuration(),
         options.getLogActivity());
     } else {
       http2ChannelInitalizer = new Http2CodecServerChannelInitializer(

vertx-core/src/main/java/io/vertx/core/http/impl/http2/codec/Http2CodecServerChannelInitializer.java

@@ -75,6 +75,7 @@ public VertxHttp2ConnectionHandler<Http2ServerConnectionImpl> buildHttp2Connecti
       .useCompression(compressionManager != null ? compressionManager.options() : null)
       .gracefulShutdownTimeoutMillis(0)
       .decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow)
+      .encoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow)
       .useDecompression(options.isDecompressionSupported())
       .initialSettings(options.getInitialSettings())
       .connectionFactory(connHandler -> {

vertx-core/src/main/java/io/vertx/core/http/impl/http2/codec/Http2ConnectionImpl.java

@@ -208,16 +208,20 @@ public void onPriorityRead(ChannelHandlerContext ctx, int streamId, int streamDe
 
   @Override
   public void onHeadersRead(ChannelHandlerContext ctx, int streamId, Http2Headers headers, int streamDependency, short weight, boolean exclusive, int padding, boolean endOfStream) throws Http2Exception {
-    StreamPriority streamPriority = new StreamPriority()
-      .setDependency(streamDependency)
-      .setWeight(weight)
-      .setExclusive(exclusive);
-    onHeadersRead(streamId, headers, streamPriority, endOfStream);
+    if (goAwayStatus == null) {
+      StreamPriority streamPriority = new StreamPriority()
+        .setDependency(streamDependency)
+        .setWeight(weight)
+        .setExclusive(exclusive);
+      onHeadersRead(streamId, headers, streamPriority, endOfStream);
+    }
   }
 
   @Override
   public void onHeadersRead(ChannelHandlerContext ctx, int streamId, Http2Headers headers, int padding, boolean endOfStream) throws Http2Exception {
-    onHeadersRead(streamId, headers, null, endOfStream);
+    if (goAwayStatus == null) {
+      onHeadersRead(streamId, headers, null, endOfStream);
+    }
   }
 
   protected abstract void onHeadersRead(int streamId, Http2Headers headers, StreamPriority streamPriority, boolean endOfStream);

vertx-core/src/main/java/io/vertx/core/http/impl/http2/codec/VertxHttp2ConnectionHandlerBuilder.java

@@ -53,6 +53,11 @@ public VertxHttp2ConnectionHandlerBuilder<C> decoderEnforceMaxRstFramesPerWindow
     return super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
   }
 
+  @Override
+  public VertxHttp2ConnectionHandlerBuilder<C> encoderEnforceMaxRstFramesPerWindow(int maxRstFramesPerWindow, int secondsPerWindow) {
+    return super.encoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
+  }
+
   @Override
   public VertxHttp2ConnectionHandlerBuilder<C> gracefulShutdownTimeoutMillis(long gracefulShutdownTimeoutMillis) {
     return super.gracefulShutdownTimeoutMillis(gracefulShutdownTimeoutMillis);

vertx-core/src/main/java/io/vertx/core/http/impl/http2/multiplex/Http2CustomFrameCodecBuilder.java

@@ -30,6 +30,16 @@ public Http2CustomFrameCodecBuilder initialSettings(Http2Settings settings) {
     return (Http2CustomFrameCodecBuilder) super.initialSettings(settings);
   }
 
+  @Override
+  public Http2CustomFrameCodecBuilder encoderEnforceMaxRstFramesPerWindow(int maxRstFramesPerWindow, int secondsPerWindow) {
+    return (Http2CustomFrameCodecBuilder) super.encoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
+  }
+
+  @Override
+  public Http2CustomFrameCodecBuilder decoderEnforceMaxRstFramesPerWindow(int maxRstFramesPerWindow, int secondsPerWindow) {
+    return (Http2CustomFrameCodecBuilder) super.decoderEnforceMaxRstFramesPerWindow(maxRstFramesPerWindow, secondsPerWindow);
+  }
+
   @Override
   public Http2CustomFrameCodecBuilder server(boolean isServer) {
     return (Http2CustomFrameCodecBuilder) super.server(isServer);

vertx-core/src/main/java/io/vertx/core/http/impl/http2/multiplex/Http2MultiplexServerChannelInitializer.java

@@ -34,6 +34,8 @@ public class Http2MultiplexServerChannelInitializer implements Http2ServerChanne
   private final boolean decompressionSupported;
   private final Http2Settings initialSettings;
   private final Http2MultiplexConnectionFactory connectionFactory;
+  private final int rstFloodMaxRstFramePerWindow;
+  private final int rstFloodWindowDuration;
   private final boolean logEnabled;
 
   public Http2MultiplexServerChannelInitializer(ContextInternal context,
@@ -44,6 +46,8 @@ public Http2MultiplexServerChannelInitializer(ContextInternal context,
                                                 Supplier<ContextInternal> streamContextSupplier,
                                                 Handler<HttpServerConnection> connectionHandler,
                                                 Http2Settings initialSettings,
+                                                int rstFloodMaxRstFramePerWindow,
+                                                int rstFloodWindowDuration,
                                                 boolean logEnabled) {
     Http2MultiplexConnectionFactory connectionFactory = (handler, chctx) -> {
       Http2MultiplexServerConnection connection = new Http2MultiplexServerConnection(
@@ -61,6 +65,8 @@ public Http2MultiplexServerChannelInitializer(ContextInternal context,
     this.connectionFactory = connectionFactory;
     this.compressionManager = compressionManager;
     this.decompressionSupported = decompressionSupported;
+    this.rstFloodMaxRstFramePerWindow = rstFloodMaxRstFramePerWindow;
+    this.rstFloodWindowDuration = rstFloodWindowDuration;
     this.logEnabled = logEnabled;
   }
 
@@ -74,6 +80,8 @@ public void configureHttp2(ContextInternal context, ChannelPipeline pipeline, bo
 
     Http2FrameCodec frameCodec = new Http2CustomFrameCodecBuilder(compressionManager, decompressionSupported)
       .server(true)
+      .decoderEnforceMaxRstFramesPerWindow(rstFloodMaxRstFramePerWindow, rstFloodWindowDuration)
+      .encoderEnforceMaxRstFramesPerWindow(rstFloodMaxRstFramePerWindow, rstFloodWindowDuration)
       .initialSettings(initialSettings)
       .logEnabled(logEnabled)
       .build();