Hi,
On Jan 20, 2009, at 7:12 PM, Peter Saint-Andre wrote:
Marcus Lundblad wrote:
tis 2009-01-13 klockan 13:28 -0700 skrev Peter Saint-Andre:
Dirk Meyer wrote:
Peter Saint-Andre wrote:
1. authentication attempts per account
2. authentication attempts per IP address
3. connection attempts per account
4. connection attempts per IP address
5. simultaneous connections per account
6. simultaneous connections per account
Currently XEP-0205 says a server could do #1 but the
consequences might
be a DoS against the legitimate user, so instead it recommends
#4 or #6
because the spec assumes that the attacker will come from a
different IP
address than the one used by the legitimate user. But #4 and #6
don't
solve the problem that Waqas mentions (a DoS attack launched by
someone
from your same IP address, e.g. from behind the same NAT).
Must people have a NAT at home. If someone inside my home network
is
running a DoS on my account, I have bigger problems than my XMPP
account.
Right, that's what I was thinking. :)
OTOH, an ISP could NAT a number of subscriber behind a single IP,
which
is the one the XMPP would see.
Wouldn't that be an issue?
Yes, that would. In fact, I've heard of whole countries existing
behind
one big NAT.
Hmm.
I don't think the "hmm" is really necessary. Sure, there will be
scenarios where some of the rules in the DoS XEP are not adequate.
I don't believe the point of the XEP is to provide a mandatory set of
anti-DoS rules. Each server admin should be knowledgeable enough to
tweak the rules to his particular needs.
I guess the only recommendation we could make is to server vendors:
please implement enable/disable logic for each recommendation, instead
of a single Anti-DoS On|/off switch.
Best regards,
--
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: [email protected]
Use XMPP!
