[ejabberd] Preparing for version 1.1.2

Peter Saint-Andre stpeter at jabber.org
Mon Sep 25 06:57:59 MSD 2006


On Sun, Sep 24, 2006 at 11:02:34AM +0200, Mickael Remond wrote:
> Hello Peter,
> 
> * Peter Saint-Andre <stpeter at jabber.org> [2006-09-23 20:59:47 -0500]:
> 
> > On Sat, Sep 23, 2006 at 05:12:09PM +0200, Mickael Remond wrote:
> > 
> > > - Improved robustness: It is now possible to limit the number of opened
> > >   connections for a single user.
> > 
> > This is a good fix. In general I think that if a server does not enable
> > the admin to limit the number of simultaneous connections per user, it
> > is possible to launch a denial of service attack against the server (or
> > at least that is my experience with other server codebases).
> 
> To my knowledge, all servers are vulnerable at different level.

Sure. Probably it would be good to define some best practices to reduce
the potential for DoS attacks.

> If you do not limit the number of opened connections per user, each new
> connection create a presence broadcast to the previous ones and from
> the previous ones to the new one.
> Depending on the server, it will crash at different level. At 500 opened
> connections for a single user, all servers should be very slow to
> respond, if they do not have crashed before.

In my experience, 50 connections is enough to cause serious trouble.

> I suggest to use this new options to limit the number of connections per
> user to 10 on a production server.

That sounds reasonable. 

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml



More information about the ejabberd mailing list