chunkloris: go net/http + golang.org/x/net/http2 (h2c)
on this page
part of the chunkloris per-chunk amplification survey. this page is the per-server record for Go net/http + golang.org/x/net/http2 (h2c) under http/2 (h2c) data frames.
at a glance
- server: Go net/http + golang.org/x/net/http2 (h2c)
go 1.23 + x/net v0.30 - runtime: Go 1.23
- ecosystem: go
- concurrency model: n-m-scheduler
- parser: x/net/http2 Framer
- delivery granularity:
per-chunk - chunk-limit helper: none exposed by the framework
- verdict: per-frame β the parser/dispatcher boundary delivers one event per protocol frame (h2 / h3 DATA frame, or ws data frame). cpu cost under paced mode b is measurable per frame.
- scaling exponent (mode a): 1.16 (wall time vs N, log-log slope across common cells)
- scaling exponent (mode b): 1.00
measurements
all cells run on a 1-vcpu docker container. cpu cost is derived from the target containerβs cgroup v2 cpu.stat usage_usec delta around each cell.
| mode | N | wall (s) | server cpu % | Β΅s / frame | basis | ok |
|---|---|---|---|---|---|---|
A-h2-bridge | 50,000 | 0.177 | 102.0 | 3.609 | server-cpu-cgroup | β |
A-h2-bridge | 100,000 | 0.400 | 118.2 | 4.724 | server-cpu-cgroup | β |
A-h2-bridge | 250,000 | 1.146 | 105.0 | 4.815 | server-cpu-cgroup | β |
B-h2-paced-100us | 50,000 | 5.395 | 22.2 | 24.010 | server-cpu-cgroup | β |
B-h2-paced-100us | 100,000 | 10.791 | 21.6 | 23.358 | server-cpu-cgroup | β |
B-h2-paced-100us | 250,000 | 26.961 | 17.9 | 19.350 | server-cpu-cgroup | β |
what this means
the parser/dispatcher path on this server delivers one event per protocol frame (a http/2 (h2c) data frames DATA frame or ws frame), so an attacker who sends a request body as N one-byte frames consumes roughly N Γ (mode-b Β΅s/frame) of server cpu on a single core.
what to do today
- if this is an h2 origin, prefer a frontend that terminates h2 into h1 with
proxy_request_buffering onupstream. - consider imposing a per-stream
DATA-frame credit (count, not bytes) before forwarding the body to the application handler. - HTTP/2 byte-level flow control (
WINDOW_UPDATE) does not bound the number of frames; configure stream-frame-rate limits where the implementation exposes them.
reproducer
the full reproducer for this server is in the paper repo. the docker container pins Go net/http + golang.org/x/net/http2 (h2c) go 1.23 + x/net v0.30 and constrains the test container to a single cpu (--cpus=1). the prober script implements mode a (bridge-coalesced) and mode b (paced 100 Β΅s) per the methodology section.
see the draft pdf for the full per-framework discussion.