Ämne: Re: [dcdev] adc |
Från: Todd Pederzani |
Datum: 2004-01-23 4:51 |
Till: Direct Connect developers |
I really don't think that was the heart of the matter. The thing wasI'm not sure I follow. Certainly, you could (if the hub doesn't enforce proper IPs) send a connection message to clients making them all try to connect to a remote IP. Or you could similarly fake an IP in the search string (causing a bit of udp traffic to the remote IP). Both are possible with the current protocol. If you're suggesting that there's a buffer overflow in one of the yet-to-be-coded clients... sure. Having the hub screen unknown commands (beyond some common-sense rate and bandwidth limiting) is the wrong approach to protecting users in my opinion. Such a buggy client should get eliminated (or fixed) through the software equivalent of natural selection - bad clients and hubs deserve to die and be replaced with better ones.
that with unknown broadcasted commands, you could potentially give a
command that would force compliant clients to send lots of data to an
unrelated IP address, thereby making DDoS attacks easy.