Skip to content

security(data-plane): ingress DoS hardening + chunked body-size cap#94

Merged
ndreno merged 1 commit into
mainfrom
security/data-plane-dos
Jun 30, 2026
Merged

security(data-plane): ingress DoS hardening + chunked body-size cap#94
ndreno merged 1 commit into
mainfrom
security/data-plane-dos

Conversation

@ndreno

@ndreno ndreno commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Area: data-plane ingress DoS (#2)

Closes the ingress DoS gaps. Continues the sequential, one-PR-per-area security work, fail-closed by default with operator opt-outs.

DP-2 — ingress timeouts / connection cap

  • Header-read deadline (slowloris defense) per request, doubling as the HTTP keep-alive idle timeout — this finally wires the previously-discarded --keepalive-timeout flag (_keepalive_duration → used).
  • TLS handshake timeout (10s) wrapping acceptor.accept, so a stalled handshake can't pin a task/FD.
  • HTTP/2 max_concurrent_streams cap (256) against per-connection stream floods.
  • Concurrent-connection ceiling with load shedding (BARBACANE_MAX_CONNECTIONS, default 10000).
  • Applied via a shared configure_conn_builder across the dev + production accept loops. The HTTP/1 builder now also gets a timer (required for header_read_timeout to function — without it the connection task panics, which is why a missing timer would hang every request).

DP-3 — chunked body-size bypass

  • Both request-body collection sites wrap the body in http_body_util::Limited, so a Transfer-Encoding: chunked body with no Content-Length is capped while streaming instead of being fully buffered before the size check.
  • Body-too-large now returns 413 (RFC 9457 payload-too-large) consistently via a dedicated helper, instead of a generic 400.

Tests

The DoS security suite (crates/barbacane-test/tests/security/dos.rs) is now green:

  • oversized_chunked_body_rejected_with_413 — rewritten to boot with --max-body-size 100 so it exercises the gateway's streaming cap (its stated intent) rather than being confounded by schema validation running before the size-limit middleware.
  • slowloris_connection_is_timed_outun-#[ignore]d: now implementable because the header-read timeout is configurable (--keepalive-timeout) and observable.
  • not_found_flood_does_not_explode_metric_cardinality — assertion aligned to the already-shipped <unmatched> sentinel (the cardinality fix landed in PR Security hardening pass + security test framework #85; only the sentinel string differed).

CI gates verified locally green: cargo fmt --all --check, cargo clippy --workspace --lib --bins --exclude barbacane-test -D warnings, cargo test --workspace --lib --bins --exclude barbacane-test.

Note (separate finding)

While verifying, I found the integration test binaries under crates/barbacane-test/tests/ (including the entire adversarial security suite) are not run by CI — the "Integration Tests" job runs only cargo test -p barbacane-test --lib. I verified this PR's DoS tests + the 2MB-body proxy test locally instead. Wiring the suite into CI is worth a follow-up (filing separately).

Resolves the data-plane ingress DoS items tracked privately (#2).

Closes the ingress-DoS gaps (area: data-plane DoS).

DP-2 (ingress timeouts / connection cap):
- Per-request header-read deadline (slowloris defense), which also doubles as
  the HTTP keep-alive idle timeout and finally wires the previously-discarded
  `--keepalive-timeout` flag.
- TLS handshake timeout so a stalled handshake can't pin a task/FD.
- HTTP/2 max_concurrent_streams cap (256) against stream floods.
- Concurrent-connection ceiling with load shedding
  (`BARBACANE_MAX_CONNECTIONS`, default 10000).
- All applied via a shared `configure_conn_builder` helper across the dev and
  production accept loops. The HTTP/1 builder now gets a timer (required for
  the header-read timeout to function).

DP-3 (chunked body-size bypass):
- Both request-body collection sites wrap the body in `http_body_util::Limited`
  so a `Transfer-Encoding: chunked` body with no Content-Length is capped while
  streaming instead of being fully buffered before the size check.
- Body-too-large now returns 413 (RFC 9457 payload-too-large) consistently,
  via a dedicated response helper, instead of a generic 400.

Tests: the previously-red DoS security suite is now green, including the
slowloris test (un-blocked now that there is a configurable, observable
header-read timeout). Docs and CHANGELOG updated for the new env var and the
keepalive wiring.
@ndreno ndreno merged commit 94b4a3f into main Jun 30, 2026
12 checks passed
@ndreno ndreno deleted the security/data-plane-dos branch June 30, 2026 14:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant