[NNTP] STREAMING diffs (take 2)
Russ Allbery
rra at stanford.edu
Mon Jun 13 13:16:43 PDT 2005
Ken Murchison <ken at oceana.com> writes:
> As an alternative, what if we leave the existing sentence in 2.4.2 alone
> and add something more a little more generic in 5 (stealing some of
> Russ' text):
> "A malicious client could use the STREAMING extension to launch a denial
> of service attack on a server. For instance, a client could cause the
> server to indefinitely defer offers of articles from its peers by
> issuing CHECK commands with specific message-ids and never sending the
> corresponding articles, or it could use a flood of TAKETHIS commands
> with unwanted articles to consume excessive bandwidth.
> To prevent such attacks, servers SHOULD be configurable to restrict the
> use of the STREAMING extension to trusted and authenticated clients
> (either via an out-of-band arrangement, or via the AUTHINFO extension
> [NNTP-AUTH]). In the absence of such a trust relationship, the server:
> - SHOULD watch for clients that send excessive CHECK commands without
> corresponding TAKETHIS commands and reject further CHECK commands (with
> 438 or 431 response) from those clients
> - SHOULD watch for clients that send excessive TAKETHIS commands with
> unwanted articles and close the connection (possibly with a 400
> response) with those clients"
This would also work for me. (400 could also be listed as a response for
dealing with excessive CHECKs.)
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the ietf-nntp
mailing list