[ejabberd] Preparing for version 1.1.2
stpeter at jabber.org
Mon Sep 25 06:57:59 MSD 2006
On Sun, Sep 24, 2006 at 11:02:34AM +0200, Mickael Remond wrote:
> Hello Peter,
> * Peter Saint-Andre <stpeter at jabber.org> [2006-09-23 20:59:47 -0500]:
> > On Sat, Sep 23, 2006 at 05:12:09PM +0200, Mickael Remond wrote:
> > > - Improved robustness: It is now possible to limit the number of opened
> > > connections for a single user.
> > This is a good fix. In general I think that if a server does not enable
> > the admin to limit the number of simultaneous connections per user, it
> > is possible to launch a denial of service attack against the server (or
> > at least that is my experience with other server codebases).
> To my knowledge, all servers are vulnerable at different level.
Sure. Probably it would be good to define some best practices to reduce
the potential for DoS attacks.
> If you do not limit the number of opened connections per user, each new
> connection create a presence broadcast to the previous ones and from
> the previous ones to the new one.
> Depending on the server, it will crash at different level. At 500 opened
> connections for a single user, all servers should be very slow to
> respond, if they do not have crashed before.
In my experience, 50 connections is enough to cause serious trouble.
> I suggest to use this new options to limit the number of connections per
> user to 10 on a production server.
That sounds reasonable.
Jabber Software Foundation
More information about the ejabberd