Open billc opened 11 years ago
progrium
commented
11 years ago Can explain the possible scenario more?
On Saturday, April 6, 2013, Bill Christian wrote:
What prevents a malicious server from sending a subscription request to a third server? Is there any check to prevent a pseudo DDoS attack with this spec?
— Reply to this email directly or view it on GitHubhttps://github.com/progrium/http-subscriptions/issues/2 .
Jeff Lindsay http://progrium.com
bbarr
commented
10 years ago I think he means:
I want to attack foo.com So I subscribe to bar.com/event-topic with a callback url of foo.com Then I rinse and repeat that subscribe to 10k other active public event endpoints from hundreds of different servers. Foo.com gets slammed by a stream of published events.
Could foo.com end up getting successfully DDOS'ed by all the unknowing event servers?
bbarr
commented
10 years ago I notice that pubsubhubbub uses an initial request to verify and avoid this, and perhaps that just hasnt made its way into spec.
progrium
commented
10 years ago No, it was added but removed because it made the spec too complicated given all the implementations already out there. If a subscriber URL finds it is being abused, it should try to tell the event source in a response that it doesn't want this subscription anymore.
On Wed, Sep 18, 2013 at 10:51 PM, Brendan Barr notifications@github.comwrote:
I notice that pubsubhubbub uses an initial request to verify and avoid this, and perhaps that just hasnt made its way into spec.
— Reply to this email directly or view it on GitHubhttps://github.com/progrium/http-subscriptions/issues/2#issuecomment-24715567 .
Jeff Lindsay http://progrium.com
What prevents a malicious server from sending a subscription request to a third server? Is there any check to prevent a pseudo DDoS attack with this spec?