chunkloris: phoenix on cowboy (h2c)
on this page
part of the chunkloris per-chunk amplification survey. this page is the per-server record for phoenix on cowboy (h2c) under http/2 (h2c) data frames.
at a glance
- server: phoenix on cowboy (h2c)
Phoenix 1.8.7 / plug_cowboy 2.8.1 / cowboy 2.15.0 - runtime: Erlang/OTP 27 + Elixir 1.17
- ecosystem: beam
- concurrency model: process
- parser: cowboy_http2 via Phoenix.Endpoint.Cowboy2Adapter
- delivery granularity:
per-frame - chunk-limit helper: none exposed by the framework
- verdict: h2 GOAWAY 11 (ENHANCE_YOUR_CALM) β the server aborts the tiny-frame request before consuming the target body. this is the cleanest in-protocol mitigation we observed, but it is not a spec requirement, and it is specific to http/2.
measurements
all cells run on a 1-vcpu docker container. cpu cost is derived from the target containerβs cgroup v2 cpu.stat usage_usec delta around each cell.
| mode | N | wall (s) | server cpu % | Β΅s / frame | basis | ok |
|---|---|---|---|---|---|---|
A-h2-bridge | 50,000 | 0.034 | 67.5 | β | server-cpu-cgroup | β |
A-h2-bridge | 100,000 | 0.040 | 60.8 | β | server-cpu-cgroup | β |
A-h2-bridge | 250,000 | 0.037 | 61.5 | β | server-cpu-cgroup | β |
B-h2-paced-100us | 50,000 | 1.088 | 22.4 | β | server-cpu-cgroup | β |
B-h2-paced-100us | 100,000 | 1.109 | 16.1 | β | server-cpu-cgroup | β |
B-h2-paced-100us | 250,000 | 1.085 | 12.7 | β | server-cpu-cgroup | β |
parser path β source citations
- Cowboy HTTP/2 protocol module β
?β source
what this means
this server detects abnormally small DATA frames on h2c and aborts the request with GOAWAY error code 11 (ENHANCE_YOUR_CALM) before consuming the target body. this is in-protocol and effective, but it is not a spec requirement and is specific to http/2.
what to do today
- if this is an h2 origin, prefer a frontend that terminates h2 into h1 with
proxy_request_buffering onupstream. - consider imposing a per-stream
DATA-frame credit (count, not bytes) before forwarding the body to the application handler. - HTTP/2 byte-level flow control (
WINDOW_UPDATE) does not bound the number of frames; configure stream-frame-rate limits where the implementation exposes them.
reproducer
the full reproducer for this server is in the paper repo. the docker container pins phoenix on cowboy (h2c) Phoenix 1.8.7 / plug_cowboy 2.8.1 / cowboy 2.15.0 and constrains the test container to a single cpu (--cpus=1). the prober script implements mode a (bridge-coalesced) and mode b (paced 100 Β΅s) per the methodology section.
see the draft pdf for the full per-framework discussion.