[Standards] Proposed XMPP Extension: Best Practices to Discourage Denial of Service Attacks Against XMPP Servers

Peter Saint-Andre stpeter at jabber.org
Mon Jan 29 22:41:10 UTC 2007


Stephan Maka wrote:
> Section 4.5 Stanza Size
> 
> In example 2 the server responds with a stanza including all children.
> Because the client has already exceeded the stanza size, the server
> should reduce bandwidth usage by only including the <error/> child.

Well, stanza size restrictions apply to what the client sends, not what 
the server sends. But it's a good idea for the server not to include the 
payload in a case like that.

> Example 3 looks like the right answer to an open element with megabytes
> of text. It should be hinted that this DoS protection should occur at
> the XML parser level.

Agreed. There are no hard and fast rules for when to send a stanza error 
and when to send a stream error, but sometimes the server needs to 
exercise self-preservation...

> Is there already some kind of negotiation of stanza sizes, preventing
> users from just pasting a 1M document inside their clients?

Not yet.

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070129/e7d419c7/attachment.bin>


More information about the Standards mailing list