[Vortex] A couple of features to limit BEEP no reply attack

Benoit Amiaux b.amiaux at ateme.com
Wed Mar 25 09:49:46 CET 2009


Francis Brosnan Blazquez a écrit :
> Hi,
> I've been working on a couple of features that will allow limiting how
> BEEP implements some reply requirements that may be used to setup an
> attack. 
> It would be great to known your opinion about this.

Just a few newbie comments, as an user of the vortex library.

- I'm one of the people forced to use connection termination instead of 
proper connection closure, due to misbehaving peers. It's very easy to 
trigger just pause one peer process and wait for the other side to wait 
indefinitely. I think it's doable to implement this on top of the 
library without changing the BEEP protocol itself, by enforcing, if the 
user wants it, a timeout on expected replies. It would allow at least, 
to try to close the connection properly first, instead of always 
assuming the worst and terminate it.

- About the 'no-reply' option, I'm not sure about whether it's a good 
idea not knowing whether the peer will reply or not. I like the 
semantics of an 'NFN' message much more. It would save bandwidth and not 
disrupt the in-order message mechanism per channel.

Benoit Amiaux

More information about the Vortex mailing list