Comment 9 for bug 1202785

So the major issue here that I think (iirc) differentiates this from similar issues in the past is that the requests are unauthenticated and there's no elegant way to rate/size limit these unauthed requests. To that end it's somewhat different to the previous Keystone DoS issue.

Regarding slowloris, I can't see how common controls like deploying Varnish would be of any use...No obvious solution springs to mind. I suppose that the severity of the Glance API going down is less than that of say, Keystone but some deployers may have SLAs around image upload etc and this issue certainly appears to have the capability to DoS the Glance API without too much effort and in an unauthenticated way.

I don't think the fix for Keystone would work here unless you had a way to verify tokens from Apache/Nginx ( or whatever your FE proxy is) because as already pointed out in the bug report Glance needs to accept big uploads.

This feels like a real security bug to me.