[Zope] - ZServer

Michel Pelletier michel@digicool.com
Wed, 27 Jan 1999 10:05:54 -0500


Jim Fulton wrote:

> Michel Pelletier wrote:
> >
> > I noticed that when you FTP into ZServer it doesn't matter
> > what userid or password you use, it allways says 'Login Successful'.
> > Of course, your not authorized to see anything but your still
> > logged in and there is still an open Medusa channel.  Couldn't this
> > be a hole into a possible Denial of Service attack?
>
> How is this different from anonymous FTP?
> How do other servers limit denial of service attacks
> on anonymous FTP?

There is the minor difference that anonymous FTP
can be turned off, thus denying even making a
connection.  Also anonymous access is only
granted for the anonymous uid with the option
to verify with a password.  With medusa I can
login with joe:blow and still tie a line.  Paul
mentioned the throttling.

>
> Note that a medusa connection does not consume many
> resources and doesn't tie up the application
> in any way.
>

Your right there, Medusa may be so darn fast that
it won't matter, I'm going to experiment with a simple
DOS script today, see if I can bring Medusa to it's knees.

Michel

>
> Jim