Allele Security Alert
Denial of Service with keep-alive HTTP connections
The Node.js Project
All versions of Node.js 6 (LTS “Boron”)
Node.js 6.17.0 (LTS “Boron”)
Proof of concept
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
Timur Shemsedinov and Matteo Collina
February 2019 Security Releases
http: destroy sockets after keepAliveTimeout
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019