-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bruce Campbell Sent: Tuesday, March 28, 2006 9:54 PM To: Jabber software development list Subject: Re: [Standards-JIG] Re: [jdev] Security-related thought experiment
On Mon, 27 Mar 2006, Robert B Quattlebaum, Jr. wrote: > Perhaps, but it needs to be clarified that such a limit must be implemented > in a very specific way. Current implementations of "max stanza size" will > likely not prevent this attack from being successful because it is imposed > after the stanza is parsed. This attack is targeted at the streaming XML > parser. > > Such a limiting mechanism should be implemented at the transport level, not > at the session or presentation layers as currently implemented in most XMPP > servers. Yes. Another measure that should be added to such a JEP is a maximum time value for any stanza to be received. This would provide against attacks which consist of a slow stream of '<iq>baa(sleep)baa(sleep)black(sleep)sheep' etc, and distributed versions of this (many connections doing this, tying up both TCP handles and depending on how the parser is implemented, eventually having an interesting memory allocation pattern.) -- Bruce Campbell
