[Standards] LAST CALL: XEP-0205 (Best Practices to Discourage Denial of Service Attacks)

Peter Saint-Andre stpeter at stpeter.im
Tue Jan 13 20:28:33 UTC 2009

Dirk Meyer wrote:
> Peter Saint-Andre wrote:
>> 1. authentication attempts per account
>> 2. authentication attempts per IP address
>> 3. connection attempts per account
>> 4. connection attempts per IP address
>> 5. simultaneous connections per account
>> 6. simultaneous connections per account
>> Currently XEP-0205 says a server could do #1 but the consequences might
>> be a DoS against the legitimate user, so instead it recommends #4 or #6
>> because the spec assumes that the attacker will come from a different IP
>> address than the one used by the legitimate user. But #4 and #6 don't
>> solve the problem that Waqas mentions (a DoS attack launched by someone
>> from your same IP address, e.g. from behind the same NAT).
> Must people have a NAT at home. If someone inside my home network is
> running a DoS on my account, I have bigger problems than my XMPP
> account.

Right, that's what I was thinking. :)

More information about the Standards mailing list