[NNTP] Fwd: Gen-art review of draft-ietf-nntpext-streaming-05

Charles Lindsey chl at clerew.man.ac.uk
Tue Jun 14 04:16:29 PDT 2005


In <874qc2rwcf.fsf at windlord.stanford.edu> Russ Allbery <rra at stanford.edu> writes:

>However, the commands are a bit different in a few other respects.  I
>proposed the following text this morning; would this help?

Not really.

>    A malicious client with knowledge of the message-ids a server will be
>    receiving could use a flood of CHECK commands to cause the server to
>    defer offers of those articles from its other peers.  If client
>    authentication is not sufficient to protect against this attack, the
>    server SHOULD watch for clients that send excessive CHECK commands
>    without a following TAKETHIS and reject further CHECK commands (with
>    438 or 431) from that client.

>    TAKETHIS is designed to maximize the speed of article transfer and
>    therefore is the only client command followed immediately by a
>    multi-line data block.  Servers concerned with possible excessive
>    bandwidth utilization by clients using TAKETHIS SHOULD restrict use of
>    the STREAMING extension to trusted and authenticated clients.

I think the last sentence there might be of some help, but steer clear of
floods of CHECKs. I agree with Ade that if you start down that track, then
you have to go the whole way, and I don't think that is necessary.

-- 
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133   Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk      Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9      Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5



More information about the ietf-nntp mailing list