[Standards-JIG] Re: [jdev] Security-related thought experiment

[Bruce Campbell]

On Mon, 27 Mar 2006, Robert B Quattlebaum, Jr. wrote:

> Perhaps, but it needs to be clarified that such a limit must be implemented 
> in a very specific way. Current implementations of "max stanza size" will 
> likely not prevent this attack from being successful because it is imposed 
> after the stanza is parsed. This attack is targeted at the streaming XML 
> parser.
>
> Such a limiting mechanism should be implemented at the transport level, not 
> at the session or presentation layers as currently implemented in most XMPP 
> servers.

Yes.

Another measure that should be added to such a JEP is a maximum time value 
for any stanza to be received.  This would provide against attacks which 
consist of a slow stream of '<iq>baa(sleep)baa(sleep)black(sleep)sheep' 
etc, and distributed versions of this (many connections doing this, tying 
up both TCP handles and depending on how the parser is implemented, 
eventually having an interesting memory allocation pattern.)

-- 
   Bruce Campbell