[OTR-users] OTR loop DOS attack

Ken Restivo ken at restivo.org
Tue Jul 26 00:55:25 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Jul 25, 2005 at 09:44:31PM -0400, Ian Goldberg wrote:
> Note that we don't in general try to protect against DoS attacks, since
> we can't.  But I'm still not clear on what exactly is going on here.
> Can you send me a log?
> 

It appears to be a bug in Adium not in libotr. I tried with gaim-otr and could not duplicate the problem. Gaim did the right thing: it printed a message stating that it received its own OTR request, and cheerfully reverted back to cleartext mode. Adium, however, kept attempting to send.

This should provide some amusement:
http://www.restivo.org/projects/bots/echobot

To duplicate the problem: 
	1) create a valid user account for the bot, 
	2) run the above bot connected to that account, 
	3) then go to a client Mac running Adium and,
	4) turn on global opportunistic encryption (or is it the default?),
	5) attempt to add the bot's account to your buddy list, and then
	6) attempt to type something to it.

If the problem manifests, you'll get into an endless loop of OTR messages, which will fill up your logs, peg 100% CPU on your machine, and essentially lock it up.

If the problem does *not* manifest, then perhaps my user had some misconfiguration (i.e. maybe she had OTR defauting to *required* not requested), and I apologise for wasting your time. 

- -ken
- -- 
- ---------------
The world's most affordable web hosting.
http://www.nearlyfreespeech.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC5cI9e8HF+6xeOIcRAkfFAKCbAj/gFQaq3+u9KGWVBowDGtfEEACfa6Ky
ondWhOdOnYXM2H7AZPPsFho=
=0IMV
-----END PGP SIGNATURE-----



More information about the OTR-users mailing list