[NNTP] STREAMING diffs (take 2)
Ken Murchison
ken at oceana.com
Mon Jun 13 12:58:31 PDT 2005
Russ Allbery wrote:
> What do people think of this? If we go this route, we should probably add
> an informative reference to the authinfo draft and cite it under the
> mentions of authentication in the security considerations above.
>
As an alternative, what if we leave the existing sentence in 2.4.2 alone
and add something more a little more generic in 5 (stealing some of
Russ' text):
"A malicious client could use the STREAMING extension to launch a denial
of service attack on a server. For instance, a client could cause the
server to indefinitely defer offers of articles from its peers by
issuing CHECK commands with specific message-ids and never sending the
corresponding articles, or it could use a flood of TAKETHIS commands
with unwanted articles to consume excessive bandwidth.
To prevent such attacks, servers SHOULD be configurable to restrict the
use of the STREAMING extension to trusted and authenticated clients
(either via an out-of-band arrangement, or via the AUTHINFO extension
[NNTP-AUTH]). In the absence of such a trust relationship, the server:
- SHOULD watch for clients that send excessive CHECK commands without
corresponding TAKETHIS commands and reject further CHECK commands (with
438 or 431 response) from those clients
- SHOULD watch for clients that send excessive TAKETHIS commands with
unwanted articles and close the connection (possibly with a 400
response) with those clients"
--
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the ietf-nntp
mailing list