[Vortex] A couple of features to limit BEEP no reply attack
Benoit Amiaux
b.amiaux at ateme.com
Wed Mar 25 09:49:46 CET 2009
Hello,
Francis Brosnan Blazquez a écrit :
> Hi,
> I've been working on a couple of features that will allow limiting how
> BEEP implements some reply requirements that may be used to setup an
> attack.
> It would be great to known your opinion about this.
Just a few newbie comments, as an user of the vortex library.
- I'm one of the people forced to use connection termination instead of
proper connection closure, due to misbehaving peers. It's very easy to
trigger just pause one peer process and wait for the other side to wait
indefinitely. I think it's doable to implement this on top of the
library without changing the BEEP protocol itself, by enforcing, if the
user wants it, a timeout on expected replies. It would allow at least,
to try to close the connection properly first, instead of always
assuming the worst and terminate it.
- About the 'no-reply' option, I'm not sure about whether it's a good
idea not knowing whether the peer will reply or not. I like the
semantics of an 'NFN' message much more. It would save bandwidth and not
disrupt the in-order message mechanism per channel.
Bye!
Benoit Amiaux
More information about the Vortex
mailing list