[Standards-JIG] Re: [jdev] Security-related thought experiment
stpeter at jabber.org
Tue Mar 28 22:01:24 CST 2006
On Tue, Mar 28, 2006 at 03:54:26PM +0200, Bruce Campbell wrote:
> On Mon, 27 Mar 2006, Robert B Quattlebaum, Jr. wrote:
> >Perhaps, but it needs to be clarified that such a limit must be
> >implemented in a very specific way. Current implementations of "max stanza
> >size" will likely not prevent this attack from being successful because it
> >is imposed after the stanza is parsed. This attack is targeted at the
> >streaming XML parser.
> >Such a limiting mechanism should be implemented at the transport level,
> >not at the session or presentation layers as currently implemented in most
> >XMPP servers.
> Another measure that should be added to such a JEP is a maximum time value
> for any stanza to be received. This would provide against attacks which
> consist of a slow stream of '<iq>baa(sleep)baa(sleep)black(sleep)sheep'
> etc, and distributed versions of this (many connections doing this, tying
> up both TCP handles and depending on how the parser is implemented,
> eventually having an interesting memory allocation pattern.)
Y'all feel free to start writing this document. ;-)
Some of this may belong in the security considerations section of
Jabber Software Foundation
More information about the JDev