[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: service.notify?

To: atom-syntax@xxxxxxx
Subject: Re: service.notify?
From: Gary Burd <gary@xxxxxxxxxxxxxxxx>
Date: Sun, 11 Jan 2004 11:48:19 -0800
In-reply-to: <>
List-archive: <http://www.imc.org/atom-syntax/mail-archive/>
List-id: <atom-syntax.imc.org>
List-unsubscribe: <mailto:atom-syntax-request@imc.org?body=unsubscribe>
References: <> <> <> <>
Sender: owner-atom-syntax@xxxxxxxxxxxx

On Jan 11, 2004, at 11:14 AM, petite_abeille wrote:

One denial of service attack is to register hundreds of URLs at a victim's site with hundreds of notification centers.
At worst, your site goes under. No big loss there. A blog is not a critical piece of infrastructure last time I checked.

Notification centers can be directed to hit any host on the internet. The host need not be hosting a blog or even be running a web server. Because the notifications do not include any information about the notification center, there does not appear to be an easy way for a victim to discover the notification centers hitting his host so that he can put a stop to an attack

On Jan 11, 2004, at 10:43 AM, petite_abeille wrote:

4) How does one unsubscribe?
There should be a corresponding DELETE method.

What stops an attacker from unregistering other users? This attack can be automated using blogroll formats discussed elsewhere on this list.

Follow-Ups:
- Re: service.notify?
  - From: petite_abeille

References:
- service.notify?
  - From: petite_abeille
- Re: service.notify?
  - From: Graham
- Re: service.notify?
  - From: Gary Burd
- Re: service.notify?
  - From: petite_abeille

Prev by Date: Re: Push vs. Pull?
Next by Date: Re: Sticks, carrots, real XML, ultra-liberal parsing
Previous by thread: Re: service.notify?
Next by thread: Re: service.notify?
Index(es):
- Date
- Thread