[Standards] LAST CALL: XEP-0205 (Best Practices to Discourage Denial of Service Attacks)
melo at simplicidade.org
Wed Nov 12 12:20:11 UTC 2008
Some comments regarding version 0.2 (2007-07-10):
1. Section 4.4, Simultaneous Resources
The error type in Example 1 is 'modify'. I think it should be cancel
because the request will never succeed no matter what you change in
2. Section 4.5, Stanza Size
The first response, sending back a stanza of type='error' requires the
server to keep parsing the invalid stanza to know when it ends. With a
never ending stanza, this will cause DoS for servers.
I think the only response to Stanza Size is the second one: as soon as
you detect an ongoing big stanza, give the stream error and close the
stream and the underlying connection.
3. Section 4.6, Multiple Recipients
Although I prefer to keep this section in case I'm missing something,
I think the problem is already covered by 4.7 and 4.8 combined.
4. Section 4.9, Service Restrictions
One amplifier service not mentioned is the session manager itself. The
server should limit the number of presence changes.
In particular the server should filter several presences with the
exact same payload.
The section only mentions access control features, and not DoS
Regarding MUCs, we should mention per participant limits on presence
changes and messages as concrete examples of limits to provide.
Regarding PubSub, number of published items per time period should
also be limited.
XMPP ID: melo at simplicidade.org
More information about the Standards