W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

[Bug 11] Protection against XML Denial Of Service attacks

From: <bugzilla@soe.ucsc.edu>
Date: Tue, 29 Nov 2005 10:26:17 -0800
Message-Id: <200511291826.jATIQHEL006234@ietf.cse.ucsc.edu>
To: w3c-dist-auth@w3.org

http://ietf.cse.ucsc.edu:8080/bugzilla/show_bug.cgi?id=11





------- Additional Comments From julian.reschke@greenbytes.de  2005-11-29 10:26 -------
Proposed resolution: follow pointers from
<http://greenbytes.de/tech/webdav/draft-reschke-webdav-rfc2518bis-latest.html#rfc.issue.bz011>,
summary:

Removed section explaining why 503 is a candidate status code for detected DOS
attacks (this doesn't make any sense at all, because if a server indeed detects
a DOS attack, it will signal a client error, not a "not now, but maybe later"
condition). Rename Section Section 19.6 to "Implications of XML entities", and
also expain the so-called one-billion-laughs-attack over there. Expand Section
8.1.1 to point to the various risks described in Section 19, and give advice on
how to reject those requests.



------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
Received on Tuesday, 29 November 2005 18:26:50 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT