[krbdev.mit.edu #1316] KDC TCP support needs better denial-of-service protection
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Tue Jan 14 20:02:33 EST 2003
Currently the only safeguard against a denial-of-service attack is a
limited number of connections, and a bounded amount of reserved data
space the server will accept on any connection. It would be entirely
possible for an attacker to swamp the KDC with connection requests,
causing legitimate connections to be dropped very rapidly, perhaps
before processing any requests.
Something better is desirable, but just what that should be needs some
consideration.
More information about the krb5-bugs
mailing list