Our great sponsors
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
advisory-database
Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.
But they've also known about the issue for almost a year. In the h2 issue, they were alerted in no uncertain terms that it carried a DDoS risk. Other people also requested a CVE in public.
The fact that this issue was open for almost a year doesn't indicate much attention to security. There are also some other issues issue open which look like the would enable simmilar attacks.
Yep, you can see the history here: https://github.com/github/advisory-database/commits/main/advisories/github-reviewed/2023/04/GHSA-f8vr-r385-rh5r/GHSA-f8vr-r385-rh5r.json
So napkin maths time. Typical cross-world bog-standard network speeds for a single TCP channel of ~25MiBps. A single HEADERS+RST pair is likely < 128 bytes (40 for the HEADERS + whatever payload, and 32 for the RST). So 8 pairs per K, 8K pairs per MiB, 200K pairs per 25MiB...
PSA: before filing CVEs for other people's projects, file an issue with https://rustsec.org instead