On Friday 24 March 2006 22:32, Robert B Quattlebaum, Jr. wrote: > Limiting the size of a single stanza may or may not fix the problem, > depending on implementation. If the stanza size filter is applied to > the stanza after it has been parsed, then this isn't good enough--the > attack will still be successful because the stanza will never finish > parsing. However, if the parser kept track of how large the stanza > was getting as it was parsing it, then this attack can be avoided. > > Any thoughts, or other methods of preventing this attack from being > successful? Or has this already been considered and "fixed"?
Just count the network bytes before they go into your XML parser. Iris uses a SAX parser, and I had a limiter that would just count all the network bytes put into it, and reset the bytes whenever a full event (e.g. stanza endElement) completed. The connection could just be dropped if the limit were exceeded. However, I ended up throwing this mechanism out, because from a client perspective it doesn't really help at all. The problem is that you don't know what your Jabber server's stanza size limit is, and some servers may not even have a limit. This means that even with a limit in your client, anyone can DoS you by just sending a stanza larger than your client limit but smaller than your server limit (easily done if your server has no limit), and your client would happily disconnect from your own server. Oops! I'd say until we get a size negotiation for c2s, this problem is not "fixed". -Justin
