Transfer-Encoding HTTP DoS

Transfer-Encoding Denial Of Service is a technique where the attacker abuses the HTTP protocol's Transfer-Encoding header
to launch a Denial Of Service attack. All the attacker has to do is to craft a specific HTTP request like the one below and
send it to their target:

POST /some-endpoint HTTP/1.1
Host: example.com
Transfer-Encoding: chunked

10\r\n
HGSXCZSQNP\r\n

This will allow the server and client to stream chunk encoded responses to each other until the terminating chunk is provided.
The terminating chunk is a chunk which contains a zero followed by a carriage return and a newline.

Let's say the attacker sends the same chunk we saw in the request above per minute:

10\r\n
HGSXCZSQNP\r\n

This will force the server to hold the connection open as it waits for the terminating chunk, which the
attacker never provides.

Transfer-Encoding Denial Of Service is a variant of the R.U.D.Y. (R U Dead Yet?) attack, but rather depends on
any endpoint accepting the Transfer-Encoding header rather than just pure web form data.

Although such an attack may be effective against HTTP servers, HTTP servers running HTTP 2, 3 or later
are protected against this attack as the Transfer-Encoding header is disallowed and any request depending on
it will be provided with a protocol error.