RES: [Standards] Proposed XMPP Extension: Best Practices to DiscourageDenial of Service Attacks Against XMPP Servers

Peter Saint-Andre stpeter at
Tue Jan 23 22:07:51 UTC 2007

Thiago Camargo wrote:
> As described in XEP (Best Practices to DiscourageDenial of Service 
> Attacks Against XMPP Servers)...
> Item 4.1:
> I have a doubt about maximum users per IP in a XMPP Server.
> We do have a large number of NAT in front of companies network. And for 
> large companies that uses public IM server, this may not be applied. As 
> they have more than 100 users connected ( actually it can reach 150 ) to 
> a public IM server, using the same public IP.

At the deployment we limit the number of connections from a 
single IP address to something like 20. If a large company wants to use 
Jabber, it should install its own. :-)

> What I suggest is to use 2 levels of deny:
>  >>> Limit the "simultaneous connections number".
>  >>> Limit the "simultaneous connections number" in a "time period".
> * This will help to prevent fake attacks.
> * And make the defense more effective against 
> "Connections/Disconnections" attacks.
> If you limit just the max simultaneous connections, the attacker can 
> connect and disconnect thousand times and still keeping with his attack.


> What I suggest is limit 100 simultaneous users per IP, if the server 
> want to provide some public services for companies.

See above. Install your own server!

> And another limit of 120 new connections per hour per IP.
> An attacker will need much more than 120 new connections per hour per IP 
> to damage a XMPP server.
> And please remember, that attackers or kind of, don´t use just one IP to 
> do an attack. Actually, it uses many IPs as possible to do its attack.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Standards mailing list