PuSH hubs vulnerable to denial of service

[GoogleCodeExporter]

Hi,

I've noticed a possible denial of service if a PuSH hub were to accept
'publish' notifications without authentication from the 'publisher'.

I understand these requests are only pings. My concern is at the content
fetch, assuming it's immediate and not queued for processing later.

The spec clearly states no authentication is necessary for 'publish' requests

This means a malicious user could easily send "fake" publish requests to a
hub, thus forcing it to fetch the feeds which have been updated. At first
it doesn't seem like much of a problem, but if the feed is sufficiently
large (even worst, if the feed is generated by the malicious user), then it
could essentially cause a DoS on the hub itself.

RELEVANT SECTION:  0.3 Spec, Section 7

COMMENT/REQUEST:

I would suggest amending the Spec to include authentication of 'publish'
requests, thus preventing a hub from DoS'ing itself in the event someone
tries to fake said requests.

Original issue reported on code.google.com by alexwilliamsca on 19 May 2010 at 3:39

[GoogleCodeExporter]

Dealing with this requires a standard approach to DoS prevention. We do this in 
the reference hub here:
http://code.google.com/p/pubsubhubbub/source/browse/trunk/hub/dos.py

Other hubs aren't fully public and only work for the content providers they 
syndicate (like Posterous's hub); those 
have no exposure to this attack.

I guess the best thing I can do here is potentially put DoS protections in the 
best practices, non-normative part 
of the spec.

Original comment by bslatkin on 19 May 2010 at 5:40