[Standards] Proposed XMPP Extension: Best Practices to Discourage Denial of Service Attacks Against XMPP Servers

Gustavo Felisberto humpback at felisberto.net
Sun Jan 28 18:25:40 UTC 2007


Peter Saint-Andre escreveu:
> XMPP Extensions Editor wrote:
>> The XMPP Extensions Editor has received a proposal for a new XEP.
>>
>> Title: Best Practices to Discourage Denial of Service Attacks Against
>> XMPP Servers
>>
>> Abstract: This document recommends a number of practices that can
>> help discourage denial of service attacks on XMPP-based networks.
>>
>> URL: http://www.xmpp.org/extensions/inbox/dos.html
>
> Just a little something I wrote up over the weekend. It needs to be
> expanded a bit before the XMPP Council decides whether to accept it.
>
> Peter
>

      4.1 Simultaneous Connections == 4.2 Connection Attempts



1-Probably:
4.1 - A server implementation SHOULD enable a server administrator to
limit the number of simultaneous connections that it will accept from a
given IP address at any one time.
4.2 - A server implementation SHOULD enable a server administrator to
limit the number of new connections that it will accept from a given IP
address in a certain amount of time.

2-Doing this at the TCP layer might be good, but sometimes it might be
hard (OS dependent). Also this should be done with caution at the TCP
layer because we might be applying it to all services and not only to XMPP.
3-I guess server implementations doing this MUST have a way to report
when these limits are being reached by a given IP, just to be safe on
cases where many NATed users from the same location connect to a
particular server.

-- 
Gustavo Felisberto
(HumpBack)
Web: http://dev.gentoo.org/~humpback
Blog: http://blog.felisberto.net/
------------
It's most certainly GNU/Linux, not Linux. Read more at
http://www.gnu.org/gnu/why-gnu-linux.html .
-------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: humpback.vcf
Type: text/x-vcard
Size: 241 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070128/eb3515f6/attachment.vcf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070128/eb3515f6/attachment.sig>


More information about the Standards mailing list