1.11.1 (August 13, 2019)

Changes

• http: added mitigation of client initiated attacks that result in flooding of the downstream HTTP/2 connections. Those attacks can be logged at the “warning” level when the runtime feature http.connection_manager.log_flood_exception is enabled. The runtime setting defaults to disabled to avoid log spam when under attack.

• http: added inbound_empty_frames_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on consecutive inbound frames with an empty payload and no end stream flag. The limit is configured by setting the max_consecutive_inbound_frames_with_empty_payload config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.max_consecutive_inbound_frames_with_empty_payload overrides max_consecutive_inbound_frames_with_empty_payload setting. Large override value (i.e. 2147483647) effectively disables mitigation of inbound frames with empty payload.

• http: added inbound_priority_frames_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on inbound PRIORITY frames. The limit is configured by setting the max_inbound_priority_frames_per_stream config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.max_inbound_priority_frames_per_stream overrides max_inbound_priority_frames_per_stream setting. Large override value effectively disables flood mitigation of inbound PRIORITY frames.

• http: added inbound_window_update_frames_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the limit on inbound WINDOW_UPDATE frames. The limit is configured by setting the max_inbound_window_update_frames_per_data_frame_sent config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.max_inbound_window_update_frames_per_data_frame_sent overrides max_inbound_window_update_frames_per_data_frame_sent setting. Large override value effectively disables flood mitigation of inbound WINDOW_UPDATE frames.

• http: added outbound_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the outbound queue limit. The limit is configured by setting the max_outbound_frames config setting Runtime feature envoy.reloadable_features.http2_protocol_options.max_outbound_frames overrides max_outbound_frames config setting. Large override value effectively disables flood mitigation of outbound frames of all types.

• http: added outbound_control_flood counter stat to the HTTP/2 codec stats, for tracking number of connections terminated for exceeding the outbound queue limit for PING, SETTINGS and RST_STREAM frames. The limit is configured by setting the max_outbound_control_frames config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.max_outbound_control_frames overrides max_outbound_control_frames config setting. Large override value effectively disables flood mitigation of outbound frames of types PING, SETTINGS and RST_STREAM.

• http: enabled strict validation of HTTP/2 messaging. Previous behavior can be restored using stream_error_on_invalid_http_messaging config setting. Runtime feature envoy.reloadable_features.http2_protocol_options.stream_error_on_invalid_http_messaging overrides stream_error_on_invalid_http_messaging config setting.