Something I’ve wondered about building an http server from scratch or a even a reverse proxy using some http lib is how to handle denial of service. I feel like handling DoS could take up a decent chunk of code and runtime performance, but I’m not really sure. I don’t even know what the potential attacks are, I just know they exist.
So, I’ve done a bit of this.
For an HTTP server you are primarily interested in mitigating application-level attacks, with some interest in the protocol-level.
DOS attacks attempt to exhaust some resource - typically RAM, CPU or I/O - without exhausting the attackers resources. For instance, when I last used Apache HTTPD it consumed relatively-high RAM per connection, allowing attacker software to open connections until it ran out.
The key idea in DOS protection is to ensure that your design requires an attacker to consume comparable (eg same big-O complexity) resources that you do.