[NNTP] STREAMING diffs (take 2)
Charles Lindsey
chl at clerew.man.ac.uk
Tue Jun 14 04:21:03 PDT 2005
In <42ADE567.5030309 at oceana.com> Ken Murchison <ken at oceana.com> writes:
>Russ Allbery wrote:
>> What do people think of this? If we go this route, we should probably add
>> an informative reference to the authinfo draft and cite it under the
>> mentions of authentication in the security considerations above.
>>
>As an alternative, what if we leave the existing sentence in 2.4.2 alone
>and add something more a little more generic in 5 (stealing some of
>Russ' text):
Better, but still making a big issue out of one small problem.
>"A malicious client could use the STREAMING extension to launch a denial
>of service attack on a server. For instance, a client could cause the
>server to indefinitely defer offers of articles from its peers by
>issuing CHECK commands with specific message-ids and never sending the
>corresponding articles, or it could use a flood of TAKETHIS commands
>with unwanted articles to consume excessive bandwidth.
>To prevent such attacks, servers SHOULD be configurable to restrict the
>use of the STREAMING extension to trusted and authenticated clients
>(either via an out-of-band arrangement, or via the AUTHINFO extension
>[NNTP-AUTH]). In the absence of such a trust relationship, the server:
Again, mention of restricting STREAMING to trusted clients is helpful, but
with a minimum preamble to give it some context.
And mention of locking (with MAY) might be useful.
> - SHOULD watch for clients that send excessive CHECK commands without
>corresponding TAKETHIS commands and reject further CHECK commands (with
>438 or 431 response) from those clients
> - SHOULD watch for clients that send excessive TAKETHIS commands with
>unwanted articles and close the connection (possibly with a 400
>response) with those clients"
But that lot is telling inplementors things that good implementors will
understand anyway.
--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Fax: +44 161 436 6133 Web: http://www.cs.man.ac.uk/~chl
Email: chl at clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
More information about the ietf-nntp
mailing list