[standards-jig] In-Band Registration and DoS protection
tomek at smoczy.net
Sat Jan 3 15:05:51 UTC 2004
Protocol described in JEP-0077 does not target any method of validating
the input or preventing DoS attempts.
It's fairly simple to write a program that would brute-force register
thousands of accounts to block usernames and eat the server storage
effectively DoSing the server.
There is also a need for a way of validating user suplied data (eg. an
e-mail address) and accepting it (by administrator).
Another thing is a way to show server regulations to the user and for a
user to actively agree to it.
Above is point of view of a publically available server who wants to
have a peacefull sleep not worrying for all the evil ones in the
I've implemented this features via a web-based registration, but that is
not what the user expects. There is the tradition that all IM-things
should be done via the client software.
JID:smoku at chrome.pl http://smoczy.net/
More information about the Standards