Hi, you may be also interested in similar work done in ipsecme group:
https://www.ietf.org/id/draft-ietf-ipsecme-ddos-protection-06.txt The draft describes various defnse methods against (D)DoS attacks in IKEv2 and, in particular, introduces puzzles. We tried to specify using puzzles in such a way that their negative impact on legitimate (or even unsupporting) initiators be as small as possible (although of course it cannot be completely avoided). The draft is in WGLC now. Regards, Valery Smyslov. On Wed, Jun 29, 2016 at 5:41 PM, Christian Huitema <huit...@microsoft.com> wrote: On Wednesday, June 29, 2016 2:08 PM, Kyle Rose wrote: > > Raising the cost of requests has a similar problem in that you're punishing > every client, but in doing so you do allow all clients capable of absorbing > the increased cost (e.g., memory, computing power) to get access to the > resources they need if the user is willing to accept that cost (e.g., energy, > latency). The obvious issue with the "proof of work" defense against DDOS is that the bot nets can do more work than many legitimate clients. The puzzle approach will cut off the least capable legitimate clients, such as old phones or IOT devices. It will not cut off the PC enrolled in a bot net. It will merely slow it down a little. But then, you could have the same effect by just delaying the response and enforcing one connection per client. I agree with you that the above seems equivalent in theory, but in practice it might not be feasible. The biggest obstacle seems to be enforcing one connection per client. Let's say rate limiting on a per-client basis doesn't work because many of your clients are behind a NAT; or because the attacker is using IPv6 and generates a ton of temporary addresses that make the situation indistinguishable from many legitimate clients in the same subnet. So you can either serve one (or a small N) of them at a time, or you drop that restriction and allow a single client to mount an asymmetric attack. Alternatively, what if you have lots of geographically-distributed servers and can't share client rate limiting state among them quickly enough to detect and blacklist attackers? It's possible there are additional asymmetric attack vectors I'm not thinking of, which is why I like this as a general defense against a class of attacks. I mostly agree it's mostly worthless when you have one server facing a botnet of 100,000 machines, but frankly that one server is a sitting duck regardless of countermeasures. OTOH, what if you have 20,000 servers facing such a botnet? Client puzzles effectively become a mechanism for enforcing distributed rate limiting, and could be used to dramatically raise the cost of mounting such an attack. I have to think a lot more about the IoT/resource-constrained client problem, but I still don't think the existence of clients that would be by this scheme Kyle ------------------------------------------------------------------------------ _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
