[Standards] LAST CALL: XEP-0205 (Best Practices to Discourage Denial of Service Attacks)

Pedro Melo melo at simplicidade.org
Fri Jan 23 12:08:19 UTC 2009


Hi,

On Jan 20, 2009, at 7:12 PM, Peter Saint-Andre wrote:

> Marcus Lundblad wrote:
>> tis 2009-01-13 klockan 13:28 -0700 skrev Peter Saint-Andre:
>>> Dirk Meyer wrote:
>>>> Peter Saint-Andre wrote:
>>>>> 1. authentication attempts per account
>>>>> 2. authentication attempts per IP address
>>>>> 3. connection attempts per account
>>>>> 4. connection attempts per IP address
>>>>> 5. simultaneous connections per account
>>>>> 6. simultaneous connections per account
>>>>>
>>>>> Currently XEP-0205 says a server could do #1 but the  
>>>>> consequences might
>>>>> be a DoS against the legitimate user, so instead it recommends  
>>>>> #4 or #6
>>>>> because the spec assumes that the attacker will come from a  
>>>>> different IP
>>>>> address than the one used by the legitimate user. But #4 and #6  
>>>>> don't
>>>>> solve the problem that Waqas mentions (a DoS attack launched by  
>>>>> someone
>>>>> from your same IP address, e.g. from behind the same NAT).
>>>> Must people have a NAT at home. If someone inside my home network  
>>>> is
>>>> running a DoS on my account, I have bigger problems than my XMPP
>>>> account.
>>> Right, that's what I was thinking. :)
>>
>> OTOH, an ISP could NAT a number of subscriber behind a single IP,  
>> which
>> is the one the XMPP would see.
>> Wouldn't that be an issue?
>
> Yes, that would. In fact, I've heard of whole countries existing  
> behind
> one big NAT.
>
> Hmm.

I don't think the "hmm" is really necessary. Sure, there will be  
scenarios where some of the rules in the DoS XEP are not adequate.

I don't believe the point of the XEP is to provide a mandatory set of  
anti-DoS rules. Each server admin should be knowledgeable enough to  
tweak the rules to his particular needs.

I guess the only recommendation we could make is to server vendors:  
please implement enable/disable logic for each recommendation, instead  
of a single Anti-DoS On|/off switch.

Best regards,
-- 
Pedro Melo
Blog: http://www.simplicidade.org/notes/
XMPP ID: melo at simplicidade.org
Use XMPP!





More information about the Standards mailing list