[3765] in Kerberos-V5-bugs
[krbdev.mit.edu #1316] KDC TCP support needs better denial-of-service protection
daemon@ATHENA.MIT.EDU (Ken Raeburn via RT)
Tue Jan 14 20:03:08 2003
Message-Id: <rt-1316-3950.11.346882236947@krbdev.mit.edu>
In-Reply-To: <rt-1316@krbdev.mit.edu>
From: "Ken Raeburn via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Tue, 14 Jan 2003 20:02:33 -0500 (EST)
Currently the only safeguard against a denial-of-service attack is a
limited number of connections, and a bounded amount of reserved data
space the server will accept on any connection. It would be entirely
possible for an attacker to swamp the KDC with connection requests,
causing legitimate connections to be dropped very rapidly, perhaps
before processing any requests.
Something better is desirable, but just what that should be needs some
consideration.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
