[NNTP] Fwd: Gen-art review of draft-ietf-nntpext-streaming-05
Charles Lindsey
chl at clerew.man.ac.uk
Tue Jun 14 04:16:29 PDT 2005
In <874qc2rwcf.fsf at windlord.stanford.edu> Russ Allbery <rra at stanford.edu> writes:
>However, the commands are a bit different in a few other respects. I
>proposed the following text this morning; would this help?
Not really.
> A malicious client with knowledge of the message-ids a server will be
> receiving could use a flood of CHECK commands to cause the server to
> defer offers of those articles from its other peers. If client
> authentication is not sufficient to protect against this attack, the
> server SHOULD watch for clients that send excessive CHECK commands
> without a following TAKETHIS and reject further CHECK commands (with
> 438 or 431) from that client.
> TAKETHIS is designed to maximize the speed of article transfer and
> therefore is the only client command followed immediately by a
> multi-line data block. Servers concerned with possible excessive
> bandwidth utilization by clients using TAKETHIS SHOULD restrict use of
> the STREAMING extension to trusted and authenticated clients.
I think the last sentence there might be of some help, but steer clear of
floods of CHECKs. I agree with Ade that if you start down that track, then
you have to go the whole way, and I don't think that is necessary.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-nntp
mailing list