RES: [Standards] Proposed XMPP Extension: Best Practices to DiscourageDenial of Service Attacks Against XMPP Servers

Peter Saint-Andre stpeter at jabber.org
Tue Jan 23 22:07:51 UTC 2007


Thiago Camargo wrote:
> As described in XEP (Best Practices to DiscourageDenial of Service 
> Attacks Against XMPP Servers)...
> 
> Item 4.1:
> 
> I have a doubt about maximum users per IP in a XMPP Server.
> 
> We do have a large number of NAT in front of companies network. And for 
> large companies that uses public IM server, this may not be applied. As 
> they have more than 100 users connected ( actually it can reach 150 ) to 
> a public IM server, using the same public IP.

At the jabber.org deployment we limit the number of connections from a 
single IP address to something like 20. If a large company wants to use 
Jabber, it should install its own. :-)

> What I suggest is to use 2 levels of deny:
> 
>  >>> Limit the "simultaneous connections number".
> 
> AND
> 
>  >>> Limit the "simultaneous connections number" in a "time period".
> * This will help to prevent fake attacks.
> * And make the defense more effective against 
> "Connections/Disconnections" attacks.
> If you limit just the max simultaneous connections, the attacker can 
> connect and disconnect thousand times and still keeping with his attack.

Right.

> What I suggest is limit 100 simultaneous users per IP, if the server 
> want to provide some public services for companies.

See above. Install your own server!

> And another limit of 120 new connections per hour per IP.
> An attacker will need much more than 120 new connections per hour per IP 
> to damage a XMPP server.
> And please remember, that attackers or kind of, don´t use just one IP to 
> do an attack. Actually, it uses many IPs as possible to do its attack.

True.

/psa


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070123/9ec25f55/attachment.bin>


More information about the Standards mailing list