ietf-nntp Multiple AUTHINFOs per session
Russ Allbery
rra at stanford.edu
Sun Jan 5 20:16:25 PST 2003
Ade Lovett <ade at lovett.com> writes:
> Gee thanks. Creating a new session has a non-zero cost. So I could
> probably DoS a server under this scheme by sending repeated requests
> (let's be clever and bounce between two accounts, rather than sending
> the same account information over and over to defeat the (if
> same(username) and same(password) do buggerall).
You can DoS a server a whole bunch of different ways, starting from
opening a ton of connections and working your way up through the protocol.
The server has to detect people who are doing things like that and cut
them off if this is a problem. I don't think that's an argument either
way; this applies to any NNTP command with any significant server-side
processing cost.
I don't personally see much practical use for reauthenticating as a
different user, though.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list