On Mon, 27 Mar 2006, Robert B Quattlebaum, Jr. wrote:
Perhaps, but it needs to be clarified that such a limit must be implemented
in a very specific way. Current implementations of "max stanza size" will
likely not prevent this attack from being successful because it is imposed
after the stanza is parsed. This attack is targeted at the streaming XML
parser.
Such a limiting mechanism should be implemented at the transport level, not
at the session or presentation layers as currently implemented in most XMPP
servers.
Yes.
Another measure that should be added to such a JEP is a maximum time value
for any stanza to be received. This would provide against attacks which
consist of a slow stream of '<iq>baa(sleep)baa(sleep)black(sleep)sheep'
etc, and distributed versions of this (many connections doing this, tying
up both TCP handles and depending on how the parser is implemented,
eventually having an interesting memory allocation pattern.)
--
Bruce Campbell
