[NNTP] Fwd: Gen-art review of draft-ietf-nntpext-streaming-05
Clive D.W. Feather
clive at demon.net
Mon Jun 13 01:30:33 PDT 2005
Elwyn Davies said:
> The sort of thing I was thinking of was sending streams of CHECKs for
> articles and never sending TAKETHIS, or asking about or sending the
> same article repeatedly, or sending a stream of CHECKs for the same
> article that the malicious client knows the server has already. These
> could waste quite a lot of your bandwidth!
However, this applies equally to almost any command in NNTP. Certainly STAT
can be misused in exactly the same way.
But it also applies to almost any command in any protocol. What stops an
SMTP client from repeatedly sending sequences of MAIL, 100 RCPT, and RSET
commands? What stops and HTTP client from sending lots of the check page
last changed date command? All of these make the server do lots of work for
little effort.
I agree that there is a *potential* issue here. I'm just not convinced it's
serious enough to mention here, as opposed to in a general "preventing
malicious use of TCP/IP" document.
--
Clive D.W. Feather | Work: <clive at demon.net> | Tel: +44 20 8495 6138
Internet Expert | Home: <clive at davros.org> | Fax: +44 870 051 9937
Demon Internet | WWW: http://www.davros.org | Mobile: +44 7973 377646
Thus plc | |
More information about the ietf-nntp
mailing list