chunkloris: cowboy (h2c)

part of the chunkloris per-chunk amplification survey. this page is the per-server record for cowboy (h2c) under http/2 (h2c) data frames.

at a glance

• server: cowboy (h2c) 2.15.0 (cowlib 2.16.1, ranch 2.2.0)
• runtime: Erlang/OTP 27 + Elixir 1.17
• ecosystem: beam
• concurrency model: process
• parser: cowboy_http2
• delivery granularity: per-frame
• chunk-limit helper: none exposed by the framework
• verdict: h2 GOAWAY 11 (ENHANCE_YOUR_CALM) — the server aborts the tiny-frame request before consuming the target body. this is the cleanest in-protocol mitigation we observed, but it is not a spec requirement, and it is specific to http/2.

measurements

all cells run on a 1-vcpu docker container. cpu cost is derived from the target container’s cgroup v2 cpu.stat usage_usec delta around each cell.

parser path — source citations

• Cowboy HTTP/2 protocol module — ? → source

what this means

this server detects abnormally small DATA frames on h2c and aborts the request with GOAWAY error code 11 (ENHANCE_YOUR_CALM) before consuming the target body. this is in-protocol and effective, but it is not a spec requirement and is specific to http/2.

what to do today

• if this is an h2 origin, prefer a frontend that terminates h2 into h1 with proxy_request_buffering on upstream.
• consider imposing a per-stream DATA-frame credit (count, not bytes) before forwarding the body to the application handler.
• HTTP/2 byte-level flow control (WINDOW_UPDATE) does not bound the number of frames; configure stream-frame-rate limits where the implementation exposes them.

reproducer

the full reproducer for this server is in the paper repo. the docker container pins cowboy (h2c) 2.15.0 (cowlib 2.16.1, ranch 2.2.0) and constrains the test container to a single cpu (--cpus=1). the prober script implements mode a (bridge-coalesced) and mode b (paced 100 µs) per the methodology section.

see the draft pdf for the full per-framework discussion.