Skip Menu |

Subject: KDC TCP support needs better denial-of-service protection
Currently the only safeguard against a denial-of-service attack is a
limited number of connections, and a bounded amount of reserved data
space the server will accept on any connection. It would be entirely
possible for an attacker to swamp the KDC with connection requests,
causing legitimate connections to be dropped very rapidly, perhaps
before processing any requests.

Something better is desirable, but just what that should be needs some
Fixed by using libverto in the KDC.