CloudflareGo and enhance your calm: demolishing an HTTP/2 interop problem
Read Full ArticleSummary
The article discusses a critical issue encountered in a microservices architecture using HTTP/2, specifically related to the ErrCode=ENHANCE_YOUR_CALM error triggered by PING flood attacks. It details how a misconfiguration in a Go client led to excessive PING frames being sent, causing Cloudflare's defenses to close the connection. The authors provide insights into the HTTP/2 protocol's features, the importance of reading response bodies, and strategies for debugging such issues. The article emphasizes the need for developers to understand the implications of HTTP/2 features and to implement best practices to avoid similar pitfalls.
Key Learnings
- 1Understanding the nuances of HTTP/2 features is crucial to avoid triggering denial-of-service mitigations.
- 2Always read HTTP response bodies in Go to prevent unnecessary PING and RST_STREAM frames that can lead to connection closures.
- 3Utilizing packet captures and detailed logging can help diagnose and resolve interop issues effectively.
- 4The design of microservices should consider the implications of using edge services like Cloudflare for internal communication.
- 5Dogfooding internal services can provide valuable insights that improve customer-facing products.
Who Should Read This
Senior Backend Engineers with experience in Go and microservices architecture facing HTTP/2 communication challenges
Test Your Knowledge
What are the potential consequences of not monitoring HTTP/2 feature usage in a microservices architecture?
How does the PING frame in HTTP/2 contribute to potential denial-of-service vulnerabilities?
What design decisions should be made to ensure efficient communication between microservices using HTTP/2?
Why is it important to read the response body in Go, and what are the implications of neglecting this step?
In what scenarios might excessive RST_STREAM frames be generated, and how can they be mitigated?
Topics
More articles about Http/2
Explore Http/2 engineering →Beyond IP lists: a registry format for bots and agents
The article introduces a registry format for bots and agents that enhances the discovery and verification of cryptographically signed requests. It emphasizes the need for website operators to manage...
New Subscriptions API Integrations with Catalog and Orders
The article introduces new integrations of the Square Subscriptions API with the Catalog and Orders APIs, aimed at enhancing subscription management for sellers. It details how sellers can attach...
More from Cloudflare Engineering
View Cloudflare engineering blogs →Complexity is a choice. SASE migrations shouldn’t take years.
The article emphasizes the shift in the cybersecurity landscape regarding SASE migrations, arguing that complexity is a choice rather than an inevitability. It showcases how Cloudflare's SASE...
Active defense: introducing a stateful vulnerability scanner for APIs
The article introduces Cloudflare's new stateful vulnerability scanner designed specifically for APIs, addressing the limitations of traditional defensive security measures. It highlights the...
Fixing request smuggling vulnerabilities in Pingora OSS deployments
The article addresses critical HTTP/1.x request smuggling vulnerabilities identified in the Pingora open source framework, particularly when deployed as an ingress proxy. It outlines the nature of...
From the endpoint to the prompt: a unified data security vision in Cloudflare One
The article outlines Cloudflare One's evolution in data security, emphasizing a unified approach that encompasses protection in transit, visibility and control at rest, and enforcement in use. It...
A QUICker SASE client: re-building Proxy Mode
The article outlines the challenges faced by security teams when implementing proxy modes in SASE environments, particularly the performance issues associated with traditional TCP implementations. It...