[jdev] Re: Re: s2s - invalid subsequent db:result

Gaston Dombiak gaston at jivesoftware.com
Mon May 23 13:43:54 CDT 2005


Hey Jacek,

I'm not sure if this could result in a DoS attack since the conversation 
will only take place between the authenticated servers. Unless somehow 
somebody can break the security of the Originating Server and send something 
over the socket connection. :(

Regards,

  -- Gato

"Jacek Konieczny" <jajcus at bnet.pl> wrote in message 
news:20050520080612.GE30379 at serwis2.beta...
> On Fri, May 20, 2005 at 07:11:57AM +0200, Stephen Marquard wrote:
>> Gaston Dombiak wrote:
>> >Which is the expected behavior when the subsequent <db:result/> packet 
>> >is
>> >invalid or there was some kind of error during the validation process?
>> >Should the Receiving Server close the stream and the underlying TCP
>> >connection as described in Protocol 8.3 step 10?
>>
>> That was my interpretation for jabberd2 - any validation error on the
>> stream at any stage causes the stream & TCP connection to be closed.
>>
>> It should only happen if something is misconfigured on either side or
>> someone is trying to spoof a connection.
>
> Doesn't that allow a remote DoS agains any established s2s connection?
>
> Greets,
> Jacek 






More information about the JDev mailing list