Robert Yates wrote:
An attacker sets up rogue homesites that respond very slowly, if at all, to verify requests and requests for persona-urls. The attacker then peppers a membersite with messages that need verification from the rogue homesites and that also potentially need to resolve rogue persona-urls. Given that the homesites are responding slowly to these requests, the requests coming out of the membersite start to build up and eventually exhaust the servers resources, most notably the threads.Is this a valid DoS attack? and if so, what approaches are available to the membersite to mitigate its effect?
I don't think it is, other than the resources expended processing the request message - which is akin to a DSA on a web site by requesting lots of pages. The important point to note is that the DMD0 protocol is stateless and that for the most part the participants have no need to keep any kind of state during a transaction, or indeed to care if the transaction is completed, simply dealing with responses as they arrive is sufficient. So there is no point at which any thread will be blocked waiting for a response - that would be a broken implementation anyway.
-- Pete
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
