Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make overload.premature_reset_total_stream_count runtime setting configurable #5847

Open
sunjayBhatia opened this issue Oct 12, 2023 · 4 comments
Open

Make overload.premature_reset_total_stream_count runtime setting configurable #5847

sunjayBhatia opened this issue Oct 12, 2023 · 4 comments
Assignees
@harshil1973
Labels
area/operational Issues or PRs about making Contour easier to operate as a production service. good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@sunjayBhatia
Copy link
Member

sunjayBhatia commented Oct 12, 2023
edited
Loading

This is a parameter that can be tuned to help mitigate CVE-2023-44487

Envoy has a default value of 500 but users may want to tune this to prevent resource starvation during an attack.

This can probably be a new field that is configurable in the Contour ConfigMap/Config CRD on the Listener stanza

          In that case, I think we can follow up on https://github.com/projectcontour/contour/pull/5827 with a change to make this runtime field configurable, as it seems it is something that needs tuning to a particular environment/usage

          PRs welcome for that change

Originally posted by @sunjayBhatia in #5826 (comment)
@sunjayBhatia sunjayBhatia added kind/feature Categorizes issue or PR as related to a new feature. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. area/operational Issues or PRs about making Contour easier to operate as a production service. labels Oct 12, 2023
@sunjayBhatia sunjayBhatia mentioned this issue Oct 12, 2023
Closed
@harshil1973
Copy link
Contributor

Hey @sunjayBhatia, I'd like to work on this. Please give me some direction regarding where the changes need to be made.

@tsaarni
Copy link
Member

tsaarni commented Oct 14, 2023

hi @harshil1973! You can check similar change that added configurability for another runtime setting, called http.max_requests_per_io_cycle here #5827. The runtime setting concerning this issue is called overload.premature_reset_total_stream_count and it is described here and here.

@izturn izturn assigned izturn and unassigned izturn Oct 23, 2023
@basit9958
Copy link

/assign

@harshil1973
Copy link
Contributor

@tsaarni, I want to test my changes with this runtime settings, how can I reproduce CVE-2023-44487?

@harshil1973 harshil1973 mentioned this issue Oct 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@harshil1973 harshil1973

Labels
area/operational Issues or PRs about making Contour easier to operate as a production service. good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.
Projects
Contour
Status: In Progress
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make overload.premature_reset_total_stream_count runtime setting configurable harshil1973/contour
5 participants
@tsaarni @sunjayBhatia @izturn @harshil1973 @basit9958