New book available: This Is Server Country

ChunkLoris: Measuring Per-Chunk HTTP Amplification

paper
authors: Bommarito, M. J.
year: 2026
venue: Working paper (draft)
details: Draft manuscript. A measurement survey of how 54 production HTTP/1, HTTP/2, HTTP/3, and WebSocket servers schedule body-delivery callbacks under one-byte-per-chunk request bodies. The headline finding: 27/27 HTTP/1 servers retain a measurable per-chunk CPU cost (3.6 to 113.6 microseconds per chunk on a 1 vCPU container) and the same shape carries over to HTTP/2 DATA frames, HTTP/3 DATA frames, and WebSocket text frames. The behavior is RFC-compliant and well-known in pieces (hyper #4008, Slowloris-class lineage); the paper contributes the cross-ecosystem, like-for-like, source-cited measurement matrix and a mitigation taxonomy.
Download PDF

pdf preview

citation

Bommarito, M. J. (2026). ChunkLoris: Measuring Per-Chunk HTTP Amplification. Working paper (draft). Draft manuscript. A measurement survey of how 54 production HTTP/1, HTTP/2, HTTP/3, and WebSocket servers schedule body-delivery callbacks under one-byte-per-chunk request bodies. The headline finding: 27/27 HTTP/1 servers retain a measurable per-chunk CPU cost (3.6 to 113.6 microseconds per chunk on a 1 vCPU container) and the same shape carries over to HTTP/2 DATA frames, HTTP/3 DATA frames, and WebSocket text frames. The behavior is RFC-compliant and well-known in pieces (hyper #4008, Slowloris-class lineage); the paper contributes the cross-ecosystem, like-for-like, source-cited measurement matrix and a mitigation taxonomy..