W3C home > Mailing lists > Public > w3c-dist-auth@w3.org > October to December 2005

Re: [Bug 11] Protection against XML Denial Of Service attacks

From: Lisa Dusseault <lisa@osafoundation.org>
Date: Fri, 2 Dec 2005 11:33:41 -0800
Message-Id: <c500881704e674c22ea70cd9f55e8469@osafoundation.org>
Cc: w3c-dist-auth@w3.org
To: Julian Reschke <julian.reschke@gmx.de>

How about adding to the DOS section?


    WebDAV servers need to be aware of the possibility of a denial of
    service attack at all levels. The proper response to such an attack  
MAY be to simply
       drop the connection, or if the server is able to make a response,
       the server MAY use a 400-level status request such as 400 (Bad
       Request) and indicate why the request was refused (a 500-level
       status response would indicate that the problem is with the  
server,
       whereas unintentional DOS attacks are something the client is  
capable of remedying).


On Dec 1, 2005, at 11:26 AM, Julian Reschke wrote:

> Lisa Dusseault wrote:
>> Sorry about that -- I'll blame both a brain fart and I lost access to  
>> bugzilla immediately after I entered this so I couldn't change it.  I  
>> do see how a 4xx error is better because the same request won't  
>> succeed later.  Which 4xx response though?
>> Lisa
>
> I think 400 is just fine.
>
> See  
> <http://greenbytes.de/tech/webdav/draft-reschke-webdav-rfc2518bis- 
> latest.html#rfc.change.bz011.1>.
>
> Best regards, Julian
Received on Friday, 2 December 2005 19:33:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:44:11 GMT