ietf-nntp Multiple AUTHINFOs per session
Ade Lovett
ade at lovett.com
Sun Jan 5 21:15:20 PST 2003
On 01/05/03 22:16, "Russ Allbery" <rra at stanford.edu> wrote:
> You can DoS a server a whole bunch of different ways, starting from
> opening a ton of connections and working your way up through the protocol.
> The server has to detect people who are doing things like that and cut
> them off if this is a problem.
Right. Which is relatively easy to do within a single connection, like
someone doing GROUP <group.with.lots.of.articles.#1>, GROUP <group.#2>, etc.
However, the fact that a new instantiation of the client is being suggested
when a client re-authenticates is a blatantly obvious way of killing a
server, unless serious amounts of state are saved on a reauth, which kinda
defeats the purpose of the whole thing.
It's more a case of a solution sounds ok, but then turns out to be
inherently unscalable, causing everyone needless pain (the rift between
server and client developers is big enough as it is :()
> I don't personally see much practical use for reauthenticating as a
> different user, though.
Ditto. If a client really needs two (or more) different streams to the same
news server, with different authentication credentials, then that is
entirely a client-issue (ie: it opens up the necessary connections, with
differing AUTHINFO * stuff), and not something that the server should be
dealing with.
All IMO, of course, having written a couple of "industrial-strength"
servers, and now managing a REAL one :)
-aDe
More information about the ietf-nntp
mailing list