RES: [Standards] Proposed XMPP Extension: Best Practices to DiscourageDenial of Service Attacks Against XMPP Servers
stpeter at jabber.org
Tue Jan 23 22:07:51 UTC 2007
Thiago Camargo wrote:
> As described in XEP (Best Practices to DiscourageDenial of Service
> Attacks Against XMPP Servers)...
> Item 4.1:
> I have a doubt about maximum users per IP in a XMPP Server.
> We do have a large number of NAT in front of companies network. And for
> large companies that uses public IM server, this may not be applied. As
> they have more than 100 users connected ( actually it can reach 150 ) to
> a public IM server, using the same public IP.
At the jabber.org deployment we limit the number of connections from a
single IP address to something like 20. If a large company wants to use
Jabber, it should install its own. :-)
> What I suggest is to use 2 levels of deny:
> >>> Limit the "simultaneous connections number".
> >>> Limit the "simultaneous connections number" in a "time period".
> * This will help to prevent fake attacks.
> * And make the defense more effective against
> "Connections/Disconnections" attacks.
> If you limit just the max simultaneous connections, the attacker can
> connect and disconnect thousand times and still keeping with his attack.
> What I suggest is limit 100 simultaneous users per IP, if the server
> want to provide some public services for companies.
See above. Install your own server!
> And another limit of 120 new connections per hour per IP.
> An attacker will need much more than 120 new connections per hour per IP
> to damage a XMPP server.
> And please remember, that attackers or kind of, don´t use just one IP to
> do an attack. Actually, it uses many IPs as possible to do its attack.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards