[Standards] LAST CALL: XEP-0205 (Best Practices to Discourage Denial of Service Attacks)

Peter Saint-Andre stpeter at stpeter.im
Tue Jan 20 19:12:44 UTC 2009


Marcus Lundblad wrote:
> tis 2009-01-13 klockan 13:28 -0700 skrev Peter Saint-Andre:
>> Dirk Meyer wrote:
>>> Peter Saint-Andre wrote:
>>>> 1. authentication attempts per account
>>>> 2. authentication attempts per IP address
>>>> 3. connection attempts per account
>>>> 4. connection attempts per IP address
>>>> 5. simultaneous connections per account
>>>> 6. simultaneous connections per account
>>>>
>>>> Currently XEP-0205 says a server could do #1 but the consequences might
>>>> be a DoS against the legitimate user, so instead it recommends #4 or #6
>>>> because the spec assumes that the attacker will come from a different IP
>>>> address than the one used by the legitimate user. But #4 and #6 don't
>>>> solve the problem that Waqas mentions (a DoS attack launched by someone
>>>> from your same IP address, e.g. from behind the same NAT).
>>> Must people have a NAT at home. If someone inside my home network is
>>> running a DoS on my account, I have bigger problems than my XMPP
>>> account.
>> Right, that's what I was thinking. :)
> 
> OTOH, an ISP could NAT a number of subscriber behind a single IP, which
> is the one the XMPP would see.
> Wouldn't that be an issue?

Yes, that would. In fact, I've heard of whole countries existing behind
one big NAT.

Hmm.

Peter




More information about the Standards mailing list