RES: RES: [Standards] Proposed XMPP Extension: Best Practicesto DiscourageDenial of Service Attacks Against XMPP Servers
thiago at jivesoftware.com
Tue Jan 23 22:19:20 UTC 2007
Do you think that its very effective?
If you receive an attack of connections, but before a new connection, the attacker, disconnects.
Limiting the attack to 20 simultaneous.
How will you stop it?
What about adding the maximum connects/disconnects per hour?
De: standards-bounces at xmpp.org em nome de Peter Saint-Andre
Enviada: ter 23/1/2007 16:07
Para: XMPP Extension Discussion List
Assunto: Re: RES: [Standards] Proposed XMPP Extension: Best Practicesto DiscourageDenial of Service Attacks Against XMPP Servers
Thiago Camargo wrote:
> As described in XEP (Best Practices to DiscourageDenial of Service
> Attacks Against XMPP Servers)...
> Item 4.1:
> I have a doubt about maximum users per IP in a XMPP Server.
> We do have a large number of NAT in front of companies network. And for
> large companies that uses public IM server, this may not be applied. As
> they have more than 100 users connected ( actually it can reach 150 ) to
> a public IM server, using the same public IP.
At the jabber.org deployment we limit the number of connections from a
single IP address to something like 20. If a large company wants to use
Jabber, it should install its own. :-)
> What I suggest is to use 2 levels of deny:
> >>> Limit the "simultaneous connections number".
> >>> Limit the "simultaneous connections number" in a "time period".
> * This will help to prevent fake attacks.
> * And make the defense more effective against
> "Connections/Disconnections" attacks.
> If you limit just the max simultaneous connections, the attacker can
> connect and disconnect thousand times and still keeping with his attack.
> What I suggest is limit 100 simultaneous users per IP, if the server
> want to provide some public services for companies.
See above. Install your own server!
> And another limit of 120 new connections per hour per IP.
> An attacker will need much more than 120 new connections per hour per IP
> to damage a XMPP server.
> And please remember, that attackers or kind of, don´t use just one IP to
> do an attack. Actually, it uses many IPs as possible to do its attack.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Standards