A flaw was found under Istio Envoy which leads to Denial of service when using HTTP/2 protocol. In the basic form the attack submits a high number of requests, starving legitimate connections of CPU, causing either elevated latencies or request timeouts. In more complicated production scenarios, Envoy is often integrated with sidecar services, such as rate limiter, ext_authz or WAF. Envoy may be configured to fail open when a sidecar service times out, to prevent sidecar service outage from impacting user traffic. In this case the attack may cause request timeouts to the sidecar services, and (if they fail open) the abusive requests reaching backend services. The attack can be detected by observing elevated `downstream_rq_http2_total` or `downstream_rq_http3_total` counters without a substantial increase in the `downstream_cx_active` counter. In some known forms of attack the value of `downstream_rq_rx_reset` will be elevated, while during other known forms of attack the `downstream_rq_5xx` or `downstream_rq_4xx` will be elevated.
*** This bug has been marked as a duplicate of bug 2243296 ***
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.3 for RHEL 8 Via RHSA-2023:5951 https://access.redhat.com/errata/RHSA-2023:5951
This issue has been addressed in the following products: Red Hat OpenShift Service Mesh 2.4 for RHEL 8 Via RHSA-2023:5952 https://access.redhat.com/errata/RHSA-2023:5952