[Standards-JIG] Re: [jdev] Security-related thought experiment

[Peter Saint-Andre]

On Tue, Mar 28, 2006 at 03:54:26PM +0200, Bruce Campbell wrote:
> On Mon, 27 Mar 2006, Robert B Quattlebaum, Jr. wrote:
> 
> >Perhaps, but it needs to be clarified that such a limit must be 
> >implemented in a very specific way. Current implementations of "max stanza 
> >size" will likely not prevent this attack from being successful because it 
> >is imposed after the stanza is parsed. This attack is targeted at the 
> >streaming XML parser.
> >
> >Such a limiting mechanism should be implemented at the transport level, 
> >not at the session or presentation layers as currently implemented in most 
> >XMPP servers.
> 
> Yes.
> 
> Another measure that should be added to such a JEP is a maximum time value 
> for any stanza to be received.  This would provide against attacks which 
> consist of a slow stream of '<iq>baa(sleep)baa(sleep)black(sleep)sheep' 
> etc, and distributed versions of this (many connections doing this, tying 
> up both TCP handles and depending on how the parser is implemented, 
> eventually having an interesting memory allocation pattern.)

Y'all feel free to start writing this document. ;-)

Some of this may belong in the security considerations section of
rfc3920bis.

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml