To:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
CC:
"'budi@alliance.globalnetlink.com'" <budi@alliance.globalnetlink.com>, ietf-provreg@cafax.se
From:
Daniel Manley <dmanley@tucows.com>
Date:
Tue, 25 Sep 2001 23:17:35 -0400
Sender:
owner-ietf-provreg@cafax.se
User-Agent:
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4) Gecko/20010913
Subject:
Re: Length of Reason String
I'm thinking that DoS attacks shouldn't be much of a concern in EPP since registrar authentication is required. At least in the world of domain name registrations, ICANN would certainly have something to say to registrars that attempt DoS attacks on registries. But in non-domain domains, things might be a little different. Dan Hollenbeck, Scott wrote: >>-----Original Message----- >>From: budi@alliance.globalnetlink.com >>[mailto:budi@alliance.globalnetlink.com] >>Sent: Tuesday, September 25, 2001 9:59 PM >>To: ietf-provreg@cafax.se >>Subject: RE: Length of Reason String >> >> >>On 25 Sep 01, at 20:16, Hollenbeck, Scott wrote: >> >>>I don't see the relation to sloppy coding or DoS attacks. >>> >>Hi Scott, >>I don't mean to say that we shouldn't use strings. >>And of course we should limit the length. >>(or shouldn't we?) >> >>It's just sloppy coding in the implementation can results in >>DoS attack (depends on the implementation of course). >>For example if we limit the length of reason string to 16 chars. >>Then, I create a nasty server which sends 10.000 chars, eg >> >>- this-is-a-very-long-rely-beyond-32-characters-and-i-am-going-to-see- >>which-implementation-crashes-or-give-me-access-to-their-workstation- >>wha-ha-haAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... >> > >Actually, these sorts of long strings will/should get caught and flagged as >errors by the XML parser before they get too far. Buffer overflow might be >a problem with a buggy parser, so I see what you're saying. It's a risk >with strings. > ><Scott/> >