tis 2009-01-13 klockan 13:28 -0700 skrev Peter Saint-Andre: > Dirk Meyer wrote: > > Peter Saint-Andre wrote: > >> 1. authentication attempts per account > >> 2. authentication attempts per IP address > >> 3. connection attempts per account > >> 4. connection attempts per IP address > >> 5. simultaneous connections per account > >> 6. simultaneous connections per account > >> > >> Currently XEP-0205 says a server could do #1 but the consequences might > >> be a DoS against the legitimate user, so instead it recommends #4 or #6 > >> because the spec assumes that the attacker will come from a different IP > >> address than the one used by the legitimate user. But #4 and #6 don't > >> solve the problem that Waqas mentions (a DoS attack launched by someone > >> from your same IP address, e.g. from behind the same NAT). > > > > Must people have a NAT at home. If someone inside my home network is > > running a DoS on my account, I have bigger problems than my XMPP > > account. > > Right, that's what I was thinking. :)
OTOH, an ISP could NAT a number of subscriber behind a single IP, which is the one the XMPP would see. Wouldn't that be an issue? //Marcus
