[jdev] unsubscribe

Kwok, Larry larry.kwok at intel.com
Tue Mar 28 18:51:57 CST 2006

-----Original Message-----
From: jdev-bounces at jabber.org [mailto:jdev-bounces at jabber.org] On Behalf
Of Bruce Campbell
Sent: Tuesday, March 28, 2006 9:54 PM
To: Jabber software development list
Subject: Re: [Standards-JIG] Re: [jdev] Security-related thought

On Mon, 27 Mar 2006, Robert B Quattlebaum, Jr. wrote:

> Perhaps, but it needs to be clarified that such a limit must be
> in a very specific way. Current implementations of "max stanza size"
> likely not prevent this attack from being successful because it is
> after the stanza is parsed. This attack is targeted at the streaming
> parser.
> Such a limiting mechanism should be implemented at the transport
level, not 
> at the session or presentation layers as currently implemented in most
> servers.


Another measure that should be added to such a JEP is a maximum time
for any stanza to be received.  This would provide against attacks which

consist of a slow stream of '<iq>baa(sleep)baa(sleep)black(sleep)sheep' 
etc, and distributed versions of this (many connections doing this,
up both TCP handles and depending on how the parser is implemented, 
eventually having an interesting memory allocation pattern.)

   Bruce Campbell

More information about the JDev mailing list