[jdev] unsubscribe

[Kwok, Larry]

-----Original Message-----
From: jdev-bounces at jabber.org [mailto:jdev-bounces at jabber.org] On Behalf
Of Bruce Campbell
Sent: Tuesday, March 28, 2006 9:54 PM
To: Jabber software development list
Subject: Re: [Standards-JIG] Re: [jdev] Security-related thought
experiment

On Mon, 27 Mar 2006, Robert B Quattlebaum, Jr. wrote:

> Perhaps, but it needs to be clarified that such a limit must be
implemented 
> in a very specific way. Current implementations of "max stanza size"
will 
> likely not prevent this attack from being successful because it is
imposed 
> after the stanza is parsed. This attack is targeted at the streaming
XML 
> parser.
>
> Such a limiting mechanism should be implemented at the transport
level, not 
> at the session or presentation layers as currently implemented in most
XMPP 
> servers.

Yes.

Another measure that should be added to such a JEP is a maximum time
value 
for any stanza to be received.  This would provide against attacks which

consist of a slow stream of '<iq>baa(sleep)baa(sleep)black(sleep)sheep' 
etc, and distributed versions of this (many connections doing this,
tying 
up both TCP handles and depending on how the parser is implemented, 
eventually having an interesting memory allocation pattern.)

-- 
   Bruce Campbell