Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[confighttp] OTE-01-004 WP1: Possible DoS Attacks on HTTP Services #10469

Open
mx-psi opened this issue Jun 26, 2024 · 0 comments
Open

[confighttp] OTE-01-004 WP1: Possible DoS Attacks on HTTP Services #10469

mx-psi opened this issue Jun 26, 2024 · 0 comments
Labels
area:config enhancement New feature or request priority:p1 High

Comments

@mx-psi
Copy link
Member

mx-psi commented Jun 26, 2024
edited by arminru
Loading

To prevent Slowloris attacks we can explicitly set default values for ReadTimeout and WriteTimeout on net/http.Server.

We may need to go through a feature gate process for this since it's potentially breaking for people.

Note

2024 OpenTelemetry security audit finding reference:
OTE-01-004 WP1: Possible DoS Attacks on HTTP Services
@mx-psi mx-psi added enhancement New feature or request priority:p1 High area:config labels Jun 26, 2024
@J-lena J-lena mentioned this issue Jul 23, 2024
Closed
@mx-psi mx-psi changed the title [confighttp] Set explicit ReadTimeout and WriteTimeout on servers [confighttp] OTE-01-004 WP1: Possible DoS Attacks on HTTP Services Jul 31, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:config enhancement New feature or request priority:p1 High
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

add default readtimeout and writetimeout J-lena/opentelemetry-collector
1 participant
@mx-psi