[Standards] LAST CALL: XEP-0205 (Best Practices to Discourage Denial of Service Attacks)
melo at simplicidade.org
Fri Jan 23 12:08:19 UTC 2009
On Jan 20, 2009, at 7:12 PM, Peter Saint-Andre wrote:
> Marcus Lundblad wrote:
>> tis 2009-01-13 klockan 13:28 -0700 skrev Peter Saint-Andre:
>>> Dirk Meyer wrote:
>>>> Peter Saint-Andre wrote:
>>>>> 1. authentication attempts per account
>>>>> 2. authentication attempts per IP address
>>>>> 3. connection attempts per account
>>>>> 4. connection attempts per IP address
>>>>> 5. simultaneous connections per account
>>>>> 6. simultaneous connections per account
>>>>> Currently XEP-0205 says a server could do #1 but the
>>>>> consequences might
>>>>> be a DoS against the legitimate user, so instead it recommends
>>>>> #4 or #6
>>>>> because the spec assumes that the attacker will come from a
>>>>> different IP
>>>>> address than the one used by the legitimate user. But #4 and #6
>>>>> solve the problem that Waqas mentions (a DoS attack launched by
>>>>> from your same IP address, e.g. from behind the same NAT).
>>>> Must people have a NAT at home. If someone inside my home network
>>>> running a DoS on my account, I have bigger problems than my XMPP
>>> Right, that's what I was thinking. :)
>> OTOH, an ISP could NAT a number of subscriber behind a single IP,
>> is the one the XMPP would see.
>> Wouldn't that be an issue?
> Yes, that would. In fact, I've heard of whole countries existing
> one big NAT.
I don't think the "hmm" is really necessary. Sure, there will be
scenarios where some of the rules in the DoS XEP are not adequate.
I don't believe the point of the XEP is to provide a mandatory set of
anti-DoS rules. Each server admin should be knowledgeable enough to
tweak the rules to his particular needs.
I guess the only recommendation we could make is to server vendors:
please implement enable/disable logic for each recommendation, instead
of a single Anti-DoS On|/off switch.
XMPP ID: melo at simplicidade.org
More information about the Standards