search

rajvasani / pubsubhubbub

Automatically exported from code.google.com/p/pubsubhubbub
Other
0 stars 0 forks source link

PuSH hubs vulnerable to denial of service #112

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi,

I've noticed a possible denial of service if a PuSH hub were to accept
'publish' notifications without authentication from the 'publisher'.

I understand these requests are only pings. My concern is at the content
fetch, assuming it's immediate and not queued for processing later.

The spec clearly states no authentication is necessary for 'publish' requests

This means a malicious user could easily send "fake" publish requests to a
hub, thus forcing it to fetch the feeds which have been updated. At first
it doesn't seem like much of a problem, but if the feed is sufficiently
large (even worst, if the feed is generated by the malicious user), then it
could essentially cause a DoS on the hub itself.

RELEVANT SECTION:  0.3 Spec, Section 7

COMMENT/REQUEST:

I would suggest amending the Spec to include authentication of 'publish'
requests, thus preventing a hub from DoS'ing itself in the event someone
tries to fake said requests.

Original issue reported on code.google.com by alexwilliamsca on 19 May 2010 at 3:39

GoogleCodeExporter commented 9 years ago 
Dealing with this requires a standard approach to DoS prevention. We do this in 
the reference hub here:
http://code.google.com/p/pubsubhubbub/source/browse/trunk/hub/dos.py

Other hubs aren't fully public and only work for the content providers they 
syndicate (like Posterous's hub); those 
have no exposure to this attack.

I guess the best thing I can do here is potentially put DoS protections in the 
best practices, non-normative part 
of the spec.

Original comment by bslatkin on 19 May 2010 at 5:40

GoogleCodeExporter commented 9 years ago 
Due to the approaching shutdown of Google Code 
(http://google-opensource.blogspot.ch/2015/03/farewell-to-google-code.html) 
we're moving all public PubSubHubbub development to the pubsubhubbub 
organization on Github:

https://github.com/pubsubhubbub

The protocol spec resides under https://github.com/pubsubhubbub/PubSubHubbub 
while the various client libraries and example applications have separate 
repositories.

Wiki content has been migrated to the PubSubHubbub project as well:

https://github.com/pubsubhubbub/PubSubHubbub/wiki

Please re-open your issue on GitHub if it's still relevant.

Original comment by the...@google.com on 18 May 2015 at 7:25