We have a scenario where Openfire is used as the middle-ware for a distributed system. Recently, there were issues with Openfire throwing OutOfMemoryErrors and basically grinding to a halt. After some investigation, we found a script that was essentially sending large amounts of data (hundreds of MB) to every online user. The whole thing looked a bit like a Denial of Service attack.
We solved this by patching Openfire to throttle client connections using MINA's ReadThrottleFilterBuilder. This filter limits the amount of data that can be read from the socket and waiting to be processed. As messages get processed, more data can be read from the socket again. The result is that it is no longer possible for a single sender to overwhelm Openfire and the server stays operational as if nothing happened. Normal clients, manually typing messages, would never trigger the filter.
I would rather not have to maintain a private branch with my patches and can submit the patch and a load tester application that simulates the problem to the Openfire developers. Would you be interested in applying this to Openfire?