[NNTP] STREAMING diffs (take 2)

Russ Allbery rra at stanford.edu
Mon Jun 13 13:16:43 PDT 2005


Ken Murchison <ken at oceana.com> writes:

> As an alternative, what if we leave the existing sentence in 2.4.2 alone
> and add something more a little more generic in 5 (stealing some of
> Russ' text):

> "A malicious client could use the STREAMING extension to launch a denial
> of service attack on a server.  For instance, a client could cause the
> server to indefinitely defer offers of articles from its peers by
> issuing CHECK commands with specific message-ids and never sending the
> corresponding articles, or it could use a flood of TAKETHIS commands
> with unwanted articles to consume excessive bandwidth.

> To prevent such attacks, servers SHOULD be configurable to restrict the
> use of the STREAMING extension to trusted and authenticated clients
> (either via an out-of-band arrangement, or via the AUTHINFO extension
> [NNTP-AUTH]).  In the absence of such a trust relationship, the server:

>    - SHOULD watch for clients that send excessive CHECK commands without
>    corresponding TAKETHIS commands and reject further CHECK commands (with
>    438 or 431 response) from those clients

>    - SHOULD watch for clients that send excessive TAKETHIS commands with
>    unwanted articles and close the connection (possibly with a 400
>    response) with those clients"

This would also work for me.  (400 could also be listed as a response for
dealing with excessive CHECKs.)

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the ietf-nntp mailing list