[standards-jig] In-Band Registration and DoS protection

Tomasz Sterna tomek at smoczy.net
Sat Jan 3 15:05:51 UTC 2004


Protocol described in JEP-0077 does not target any method of validating
the input or preventing DoS attempts.

It's fairly simple to write a program that would brute-force register
thousands of accounts to block usernames and eat the server storage
effectively DoSing the server.

There is also a need for a way of validating user suplied data (eg. an
e-mail address) and accepting it (by administrator).

Another thing is a way to show server regulations to the user and for a
user to actively agree to it.

Above is point of view of a publically available server who wants to
have a peacefull sleep not worrying for all the evil ones in the
Internet. ;-)

I've implemented this features via a web-based registration, but that is
not what the user expects. There is the tradition that all IM-things
should be done via the client software.

-- 
 Pozdrawiam
JID:smoku at chrome.pl  http://smoczy.net/




More information about the Standards mailing list