[JDEV] Filling public server's disk?

[Tijl Houtbeckers]

On Thu, 8 Jan 2004 09:49:38 -0700, David Waite <mass at akuma.org> wrote:

> This is why most public services now use web sites for registration 
> rather than having it in-protocol, and add things like word entry and 
> email address verification.

What public services are you refering to? I can register a Yahoo account 
and an ICQ account from the clients themselves (for Yahoo I'm sure, I 
haven't registered any ICQ account *that* recently). I think AIM has a 
simple webbased registration, but maybe one in the client too? And for MSN 
you need a passport so you have to fill in 20 pages of information first.

Yahoo also makes you regconize an image file with some text on it that is 
supposed to be hard for machines to read.

But why would a webbased DDOS attack be harder than an all client based 
one? It shouldn't be that hard to automate the posting of some forms!

> If I had a public server and wanted to keep in-band registration, I 
> would probably require email verification. However, I don't know if 
> iq:register currently has behavior defined for indicating that to a 
> user/client.

Email based verification makes it a bit harder. It would take more work to 
implement a (D)DOS attack, and many ISPs restrict use of port 25 for their 
clients, which means you'd have to resolve to more advanced means in the 
case of a DDOS attack (letting the different "zombies" in the DDOS attack 
communicate amongst themselves to share which address can receive email 
and which can't for example). Still not impossible at all, however tricky 
enough to probably decrease both the risk of attack and the impact of the 
average attack.

However, as Jabber evolves further, there will soon enough be a point -for 
some people- that you don't really need an email address anymore (at most 
an SMTP <-> Jabber gateway). Should you be required to have an email 
address just so you can register a Jabber account?