powered by Jive Software

DoS connection attempts access control support?

Does openfire support the XEP0205 Denial of Serivce Best Practice?

In particular, does the Openfire server control both simultaneous and periodic/time-based connection attempts?

That is, control the number of simultaneous connections of clients (by JID and/or IP address) and servers (IP address) to the XMPP server. And, the rate at which such connection attempts can be made, for example, 10 connections attempts within a 30 minute time period.

As far as I know ejabbered can control the number of simultaneous connections. I can’t find any information regarding the Openfire position on this.

regards,

Paddy.

Hi,

Openfire does not support this.

Linux (iptables) allows to limit the number of SYN packets per minute or hour but that’s likely not what you are looking for.

LG

Hi LG,

It is interesting to see that the XEP-0205 standard makes no reference to the use of firewalls. This is unlike other standards for example NIST800-44 and NIST800-45 that discuss firewall best practice for Web and Email servers respectively.

As part of a defense indepth strategy (or in the case of Openfire its only DoS defense!) firewall rules should be instantiated to protect the XMPP server. For example, in the case of S2S DoS protection that limits connections to 1 per IP/DNS address, the following iptables rule may be implemented:

iptables -A FORWARD -i inboundIFace -p tcp -d xmppServerIP --dport 5269 -m connlimit --connlimit-above 2 -j DROP

In terms of c2s access both limit' andrecent’ iptables modules could be made use of for inbound TCP syn connections.