Per-Entity Metadata Working Group

[Patrick Radtke <>]

>> I would be more concerned with handling denial of service attacks than
>> well behaving clients and legitimate federation queries. The proposal
>> for pushing files to a CDN makes the most sense to me for handling
>> availability for unexpected loads. Caching HTTP proxies can actually
>> make DoS attacks easier to perform since the attacker can now make
>> cache-missings requests to the various proxies which will then all hit
>> the MDQ servers.
>
> Is this risk at all mitigated if we are just serving static content?

There are DoS techniques for static content as well. They usually
involve sending/ready data really slowly so you can use up the MAX
threads/processes on the web server. There is no CPU or IO load, but
all the requests are reading bytes a very slow rate to tie up the
server. A caching proxy could help in this scenario, but it would
depend on if it reads the full response from the MDQ server and then
sends it to the client, or if the proxy only reads from the MDQ stream
when the client performs a read to the proxy.

https://en.wikipedia.org/wiki/Denial-of-service_attack#Slow_Read_attack
https://en.wikipedia.org/wiki/Slowloris_(computer_security)

-Patrick