[jdev] Security-related thought experiment

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Sat Mar 25 01:25:06 CST 2006


On Friday 24 March 2006 22:32, Robert B Quattlebaum, Jr. wrote:
> Limiting the size of a single stanza may or may not fix the problem,
> depending on implementation. If the stanza size filter is applied to
> the stanza after it has been parsed, then this isn't good enough--the
> attack will still be successful because the stanza will never finish
> parsing. However, if the parser kept track of how large the stanza
> was getting as it was parsing it, then this attack can be avoided.
>
> Any thoughts, or other methods of preventing this attack from being
> successful? Or has this already been considered and "fixed"?

Just count the network bytes before they go into your XML parser.

Iris uses a SAX parser, and I had a limiter that would just count all the 
network bytes put into it, and reset the bytes whenever a full event (e.g. 
stanza endElement) completed.  The connection could just be dropped if the 
limit were exceeded.

However, I ended up throwing this mechanism out, because from a client 
perspective it doesn't really help at all.  The problem is that you don't 
know what your Jabber server's stanza size limit is, and some servers may not 
even have a limit.  This means that even with a limit in your client, anyone 
can DoS you by just sending a stanza larger than your client limit but 
smaller than your server limit (easily done if your server has no limit), and 
your client would happily disconnect from your own server.  Oops!

I'd say until we get a size negotiation for c2s, this problem is not "fixed".

-Justin



More information about the JDev mailing list