Marcus Lundblad wrote: > tis 2009-01-13 klockan 13:28 -0700 skrev Peter Saint-Andre: >> Dirk Meyer wrote: >>> Peter Saint-Andre wrote: >>>> 1. authentication attempts per account >>>> 2. authentication attempts per IP address >>>> 3. connection attempts per account >>>> 4. connection attempts per IP address >>>> 5. simultaneous connections per account >>>> 6. simultaneous connections per account >>>> >>>> Currently XEP-0205 says a server could do #1 but the consequences might >>>> be a DoS against the legitimate user, so instead it recommends #4 or #6 >>>> because the spec assumes that the attacker will come from a different IP >>>> address than the one used by the legitimate user. But #4 and #6 don't >>>> solve the problem that Waqas mentions (a DoS attack launched by someone >>>> from your same IP address, e.g. from behind the same NAT). >>> Must people have a NAT at home. If someone inside my home network is >>> running a DoS on my account, I have bigger problems than my XMPP >>> account. >> Right, that's what I was thinking. :) > > OTOH, an ISP could NAT a number of subscriber behind a single IP, which > is the one the XMPP would see. > Wouldn't that be an issue?
Yes, that would. In fact, I've heard of whole countries existing behind one big NAT. Hmm. Peter
