[Standards] LAST CALL: XEP-0205 (Best Practices to Discourage Denial of Service Attacks)

Marcus Lundblad ml at update.uu.se
Tue Jan 13 20:32:17 UTC 2009


tis 2009-01-13 klockan 13:28 -0700 skrev Peter Saint-Andre:
> Dirk Meyer wrote:
> > Peter Saint-Andre wrote:
> >> 1. authentication attempts per account
> >> 2. authentication attempts per IP address
> >> 3. connection attempts per account
> >> 4. connection attempts per IP address
> >> 5. simultaneous connections per account
> >> 6. simultaneous connections per account
> >>
> >> Currently XEP-0205 says a server could do #1 but the consequences might
> >> be a DoS against the legitimate user, so instead it recommends #4 or #6
> >> because the spec assumes that the attacker will come from a different IP
> >> address than the one used by the legitimate user. But #4 and #6 don't
> >> solve the problem that Waqas mentions (a DoS attack launched by someone
> >> from your same IP address, e.g. from behind the same NAT).
> > 
> > Must people have a NAT at home. If someone inside my home network is
> > running a DoS on my account, I have bigger problems than my XMPP
> > account.
> 
> Right, that's what I was thinking. :)

OTOH, an ISP could NAT a number of subscriber behind a single IP, which
is the one the XMPP would see.
Wouldn't that be an issue?

//Marcus




More information about the Standards mailing list