[ejabberd] Preparing for version 1.1.2

Mickael Remond mickael.remond at process-one.net
Sun Sep 24 13:02:34 MSD 2006


Hello Peter,

* Peter Saint-Andre <stpeter at jabber.org> [2006-09-23 20:59:47 -0500]:

> On Sat, Sep 23, 2006 at 05:12:09PM +0200, Mickael Remond wrote:
> 
> > - Improved robustness: It is now possible to limit the number of opened
> >   connections for a single user.
> 
> This is a good fix. In general I think that if a server does not enable
> the admin to limit the number of simultaneous connections per user, it
> is possible to launch a denial of service attack against the server (or
> at least that is my experience with other server codebases).

To my knowledge, all servers are vulnerable at different level.
If you do not limit the number of opened connections per user, each new
connection create a presence broadcast to the previous ones and from
the previous ones to the new one.
Depending on the server, it will crash at different level. At 500 opened
connections for a single user, all servers should be very slow to
respond, if they do not have crashed before.
I suggest to use this new options to limit the number of connections per
user to 10 on a production server.

-- 
Mickaël Rémond
 http://www.process-one.net/


More information about the ejabberd mailing list