Digest authentication: auth-int susceptible to DOS attacks?


I have a question about the auth-int option of digest authentication:

Since the authentication check and the integrity check can both be done only 
after reading the entire request, I'm assuming that the server needs to 
buffer up the request body. Doesnt this open the door for an attacker to 
flood a server with a large request (like a PUT with a 200MB body)?  Since 
the request is large and server needs to buffer the request, this allows the 
attacker to cause a lot of disk-write's on the server and consume disk space 

The server can, of course, put limits on the size of the request body but 
this would limit even legitimate users. For example, if the server limits it 
to 64K, a legitimate user cannot store a file > 64K using a PUT request.

Does anybody know what is the standard/recommended solution to this problem?


Received on Monday, 2 May 2005 23:49:41 UTC