chunkloris: kestrel (asp.net core 9, http/3)
on this page
part of the chunkloris per-chunk amplification survey. this page is the per-server record for Kestrel (ASP.NET Core 9, HTTP/3) under http/3 data frames over quic.
at a glance
- server: Kestrel (ASP.NET Core 9, HTTP/3)
ASP.NET Core 9.0 + MsQuic - runtime: .NET 9
- ecosystem: dotnet
- concurrency model: ThreadPool + async/await + System.IO.Pipelines
- parser: Kestrel HTTP/3 over MsQuic
- delivery granularity:
per-frame - chunk-limit helper: none exposed by the framework
- verdict: per-frame β the parser/dispatcher boundary delivers one event per protocol frame (h2 / h3 DATA frame, or ws data frame). cpu cost under paced mode b is measurable per frame.
- scaling exponent (mode a): 0.98 (wall time vs N, log-log slope across common cells)
- scaling exponent (mode b): 1.00
measurements
all cells run on a 1-vcpu docker container. cpu cost is derived from the target containerβs cgroup v2 cpu.stat usage_usec delta around each cell.
| mode | N | wall (s) | server cpu % | Β΅s / frame | basis | ok |
|---|---|---|---|---|---|---|
A-h3-bridge | 50,000 | 0.112 | 93.8 | 2.094 | server-cpu-cgroup | β |
A-h3-bridge | 100,000 | 0.229 | 116.0 | 2.661 | server-cpu-cgroup | β |
A-h3-bridge | 250,000 | 0.542 | 106.4 | 2.307 | server-cpu-cgroup | β |
B-h3-paced-100us | 50,000 | 7.820 | 57.7 | 90.299 | server-cpu-cgroup | β |
B-h3-paced-100us | 100,000 | 15.576 | 44.1 | 68.676 | server-cpu-cgroup | β |
B-h3-paced-100us | 250,000 | 39.177 | 43.0 | 67.405 | server-cpu-cgroup | β |
parser path β source citations
- HTTP/3 support β
?β source
what this means
the parser/dispatcher path on this server delivers one event per protocol frame (a http/3 data frames over quic DATA frame or ws frame), so an attacker who sends a request body as N one-byte frames consumes roughly N Γ (mode-b Β΅s/frame) of server cpu on a single core.
what to do today
- HTTP/3 quic stream / connection flow control is byte-level; it does not bound DATA frame count.
- consider a per-stream DATA-frame credit at the h3 dispatcher before delivering payload to the application.
reproducer
the full reproducer for this server is in the paper repo. the docker container pins Kestrel (ASP.NET Core 9, HTTP/3) ASP.NET Core 9.0 + MsQuic and constrains the test container to a single cpu (--cpus=1). the prober script implements mode a (bridge-coalesced) and mode b (paced 100 Β΅s) per the methodology section.
see the draft pdf for the full per-framework discussion.