[Standards-JIG] Re: [jdev] Security-related thought experiment

Robert B Quattlebaum, Jr. darco at deepdarc.com
Mon Mar 27 09:48:30 CST 2006


Perhaps, but it needs to be clarified that such a limit must be  
implemented in a very specific way. Current implementations of "max  
stanza size" will likely not prevent this attack from being  
successful because it is imposed after the stanza is parsed. This  
attack is targeted at the streaming XML parser.

As long as there is the ability to set a limit then this attack can  
be thwarted.

Such a limiting mechanism should be implemented at the transport  
level, not at the session or presentation layers as currently  
implemented in most XMPP servers.

While it would perhaps be a good idea to allow the server  
administrator the ability to disable this mechanism, I think that it  
should be enabled by default--perhaps set to 100k(an absurdly large  
size for a stanza).

All of these recommendations would be enumerated and described in the  
proposed best-practice JEP.

On Mar 27, 2006, at 7:22 AM, Vinod Panicker wrote:

> On 3/27/06, Robert B Quattlebaum, Jr. <darco at deepdarc.com> wrote:
>> *bump*
>>
>> I personally think this is a rather serious issue, perhaps warranting
>> a "Best-practices" JEP for server developers. As XMPP becomes more
>> and more popular, it is only a matter of time before script-kiddies
>> start causing trouble.
>>
>> What I'm thinking is a JEP which describes the attack and ways to
>> prevent it from being successful. Then it makes it easy for server
>> authors to communicate if their server is hardened against this type
>> of attack: "AcmeJabD 0.3 is JEP-01xx compliant"...
>>
>> Any thoughts? Good idea? Better solution? Am I making this out to be
>> bigger than it actually is?
>
> <snip/>
>
> It's recommended that internet servers have a limit on the amount of
> data it would accept from a client as a "command".  In the case of
> xmpp, the server could enforce it in terms of bytes received on the
> connection.  Unfortunately, this would be deployment scenario based -
> since some deployments might require the server to accept a large
> number of bytes in a single stanza (assuming an extension to the
> protocol), while others would be happy with say a 10K limit.
>
> I think that this should be left to the server administrators to
> configure, but would be a good practice if servers implement this.
>
> Regards,
> Vinod.



__________________
Robert Quattlebaum
Mobile: +1(650) 223-4974
eMail:  darco at deepdarc.com
Jabber: darco at deepdarc.com
WWW:    http://www.deepdarc.com/




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20060327/1a1af4b1/attachment-0002.htm>


More information about the JDev mailing list