There was an article I read titled “Chrome Shields Websites From Denial-Of-Service Attacks“. Right away, from the title I was intrigued. While I know end-users can cause a DoS attack to happen (especially if they absolutely can’t let go of that F5 key), I was interested to see how Google went about this. Lets just say the results were less than stellar, and here’s why.
Google’s plan to do this is simple, use HTTP throttling to reduce the amount of server load per each non-200 HTTP response (a.k.a.: the OK response) from the server. Basically what happens is when a server sends a response back to Chrome with some response other than 200, Google will not let another response go to the server 0.7 seconds, with each subsequent request to the same server being delayed by up to 900 seconds (15 minutes). The amount of delay time goes up by an exponential amount.
I’m willing to bet that at least 99.5% of the DoS (not even including DDoS) attacks are NOT from a browser. Even though Google Chrome is still holding a big stake in the browser market, this will still only affect roughly 0.5% of the attacks of both DoS and DDoS, if it’s that high. The reason being is that since Chrome has already implemented a measure to break the infinite redirect loop issue, there’s not many other aspects of possible ways to do an DoS attack via browser. Even if you were to continuously press the F5 key, you’d have to do so faster than gunslinger fanning a pistol for it to even make a dent in the server’s performance.
I like the initiative that Google put into place on this prospect, but the real-world uses for this seems like it’s a waste of development resources. This could’ve just been done via a extension. Luckily, however, the feature is disabled by default in Chrome 12, so it’s not terrible, just useless.