May 2012

XMPP and the ‘billion laughs’ DoS attack... continued

Thanks to isode folks and their article I got to know about the issue. I regret to say Tigase was not included in original tests and I was not notified about the potential problem. I quickly checked Tigase myself and the good news is, similarly to M-Link XMPP Server, Tigase "is not (and never has been) vulnerable to this attack, no action is therefore required of Tigase users". :-)

Large scale systems based on Tigase

I have just discovered an interesting article about Tigase deployment on quite large scale system and I thought I might be worth to share. Actually, I was sent a link for this article from somebody who is interested in using Tigase as well. As I did not know about the article I read it with an interest as it presents quite new approach to scale the XMPP system. It is definitely worth reading. The article link: Zoosk - The Engineering Behind Real Time Communications.

Tigase XMPP Server vulnerability to certain DOS attacks fixed

Description

Tigase XMPP Server, versions prior to 5.1.1, are vulnerable to certain DOS attacks on the XMPP stream. Sending specially prepared XML data to the XMPP stream of the Tigase server can cause out of memory error, system overload and eventually the service failure.

Sensitivity

All types of XMPP connections are sensitive to this bug: c2s, s2s and external component connection. The TCP/IP connection does not have to be authenticated to successfully perform the attack.

Solution

A fix for the problem is already in our SVN repository and covers changes in both the Tigase XMPP Server code (tagged as tigase-server-5.1.1) and Tigase XML Tools code (tagged as tigase-xmltools-3.4.2). Binary packages have been released and published under version number 5.1.2 which also includes some Bosh improvements for multiple HTTP connections with Web client and compatibility with Strophe library.

Tigase clustering description

We have recently received many questions about Tigase clustering. You requested information how it is implemented, how it works, what load it can support etc.... As a result I decided to start working on some documentation to give you some technical details and better understanding of the whole thing.

Get in touch

We provide software products, consulting and custom development services

Tigase, Inc.
100 Pine Street, Suite 1250
San Francisco, CA 94111, USA
Phone: (415) 315 9771

Follow us on:

Twitter

Back to Top