RES: RES: [Standards] Proposed XMPP Extension: Best Practicesto DiscourageDenial of Service Attacks Against XMPP Servers

Thiago Camargo thiago at jivesoftware.com
Tue Jan 23 16:19:20 CST 2007 

Do you think that its very effective?
If you receive an attack of connections, but before a new connection, the attacker, disconnects.
Limiting the attack to 20 simultaneous.
How will you stop it?

What about adding the maximum connects/disconnects per hour?

Regards,
Thiago

-----Mensagem original-----
De: standards-bounces at xmpp.org em nome de Peter Saint-Andre
Enviada: ter 23/1/2007 16:07
Para: XMPP Extension Discussion List
Assunto: Re: RES: [Standards] Proposed XMPP Extension: Best Practicesto	DiscourageDenial of Service Attacks Against XMPP Servers
 
Thiago Camargo wrote:
> As described in XEP (Best Practices to DiscourageDenial of Service 
> Attacks Against XMPP Servers)...
> 
> Item 4.1:
> 
> I have a doubt about maximum users per IP in a XMPP Server.
> 
> We do have a large number of NAT in front of companies network. And for 
> large companies that uses public IM server, this may not be applied. As 
> they have more than 100 users connected ( actually it can reach 150 ) to 
> a public IM server, using the same public IP.

At the jabber.org deployment we limit the number of connections from a 
single IP address to something like 20. If a large company wants to use 
Jabber, it should install its own. :-)

> What I suggest is to use 2 levels of deny:
> 
>  >>> Limit the "simultaneous connections number".
> 
> AND
> 
>  >>> Limit the "simultaneous connections number" in a "time period".
> * This will help to prevent fake attacks.
> * And make the defense more effective against 
> "Connections/Disconnections" attacks.
> If you limit just the max simultaneous connections, the attacker can 
> connect and disconnect thousand times and still keeping with his attack.

Right.

> What I suggest is limit 100 simultaneous users per IP, if the server 
> want to provide some public services for companies.

See above. Install your own server!

> And another limit of 120 new connections per hour per IP.
> An attacker will need much more than 120 new connections per hour per IP 
> to damage a XMPP server.
> And please remember, that attackers or kind of, don´t use just one IP to 
> do an attack. Actually, it uses many IPs as possible to do its attack.

True.

/psa



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.jabber.org/pipermail/standards/attachments/20070123/7efeb55f/attachment.htm

More information about the Standards mailing list