On Fri, Jul 09, 2010 at 11:40:59AM -0500, Peter Samuelson wrote: > > [Stefan Sperling] > > "Before the SO_EXCLUSIVEADDRUSE socket option was introduced, there was > > very little a network application developer could do to prevent a > > malicious program from binding to the port on which the network > > application had its own sockets bound." > > > > So not using SO_EXCLUSIVEADDR means the denial-of-service still works? > > Well, the same article describes the changes made in Windows Server > 2003: now this seems to be true only if the malicious app is running as > the same user as svnserve.
Yes, Server 2003 should be OK without SO_EXCLUSIVEADDR. It's the older Windows systems that will still have problems, and I don't think we should be ignoring them (as much as I'd love it if everyone just ditched Windows for good). Stefan