IETF Logo Mail Archive

[IPsec] DDoS Protection - single vs multiple solutions

Yoav Nir <ynir.ietf@gmail.com> Wed, 17 February 2016 16:10 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77CBA1A894E for <ipsec@ietfa.amsl.com>; Wed, 17 Feb 2016 08:10:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3ACS3Vq6-vy1 for <ipsec@ietfa.amsl.com>; Wed, 17 Feb 2016 08:10:04 -0800 (PST)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2AE01A8948 for <ipsec@ietf.org>; Wed, 17 Feb 2016 08:10:03 -0800 (PST)
Received: by mail-wm0-x230.google.com with SMTP id a4so35237529wme.1 for <ipsec@ietf.org>; Wed, 17 Feb 2016 08:10:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=K8LllwzuyzOBncqbDIq3tMpQ8J7OHdJLrAAkvVuifJI=; b=acJKgCu55iqwxNBWRyCWgBwstEqSVybYn4UqwEEaFPaG4i20EMCiK6CGQUZ0jD5u8b G/56V0m2SDUt5UZ8F+wCaH3ZK+f5jT+Sqxh3sHbLN7CsJc0pD3xC42dJztJeoGM/Tvqn rYrbvDxJ76nnhdAxwfbRlaURgh9Zf4CJYYL7rDP0GdgPpRBscw2ZGe3DXcHFbl0Sd+hZ dhIxqYp32V7rg185dcBV5MutuwBl+E29u+R/kRcgVXF/VF9AZRsRhA+u8QmQ1sL5o8OF jnhpSxOmTXx+5ER8VfwMWjFG/oMSPOkKEmOSuIP6pYVYxsL9qPIOSFuL+n1qTSly2lzQ Vk3g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:content-transfer-encoding :subject:message-id:date:to:mime-version; bh=K8LllwzuyzOBncqbDIq3tMpQ8J7OHdJLrAAkvVuifJI=; b=RtujeqIEEOtdlL7pa8mXRPI8zo4tBt7tDQLNPSH1gYdH+wwL3NdzliyZSHgTlgC9Q4 j4tK45l7IDp5q4N64SyugTQLDTreZO7qH0s3rpC9kXW8JbJaY6291HvkMQz9jJrR38cU CfSE9ohh3XAnxqte5JSld93E3O11/qI6wEuZUPWKer4hYb8OKX82+ma9qu84imzKNbGy 2JwrjB4TuARQJMFhcpU6k+K1A7+EQoX994BXhJaoHTK8ZugD/eIu9EW95U3CzBYycN7X D60rBq/rVaT77iGo9KTkEXAeueN0fpgZ5riL4E37vYYc3E5Zk6XI8I/m3TWofRll1GVw uYjA==
X-Gm-Message-State: AG10YORvavs774mMvhu5XwZM7yGiucJW00uTdpA9xIRTMMHBmp1u47Zm1sPkeuMm0lpV8A==
X-Received: by 10.28.180.84 with SMTP id d81mr4863609wmf.42.1455725402471; Wed, 17 Feb 2016 08:10:02 -0800 (PST)
Received: from [172.24.248.214] (dyn32-131.checkpoint.com. [194.29.32.131]) by smtp.gmail.com with ESMTPSA id 74sm3791317wmn.17.2016.02.17.08.10.01 for <ipsec@ietf.org> (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 17 Feb 2016 08:10:01 -0800 (PST)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <54947C0C-EB83-4BD7-8DB1-979F68037B10@gmail.com>
Date: Wed, 17 Feb 2016 18:09:59 +0200
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/v7PFBEWeaT6ZQCjzCmIaxbRnZ8A>
Subject: [IPsec] DDoS Protection - single vs multiple solutions
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2016 16:10:06 -0000

Hi

As we’re nearing WGLC for the DDoS protection draft, there is a question we’ve left open in the past that should be resolved.

The issue is with the variability of the time it takes to solve a puzzle. To demonstrate it, I ran a simulation of trying to solve a 20-bit puzzle 1000 times on some specific hardware [1]. The results are available in ODS [2] and XSLX [3] formats, and also summarized below:

    Average                     1.3226669
    Min                         0.0001190
    Max                         7.9450660
    Standard Deviation          1.2873387
    5th percentile              0.0843579
    95th percentile             3.8978098
    95th / 5th percentiles          46.2
    Max / Min                    66765.3

So an “unlucky” initiator, defined here as the 95th percentile for solution time, takes 46x as long to solve the puzzle as a “lucky” one (defined as the 5th percentile). This introduces delays that are visible to human users, whether they are looking at a dialog box on a remote access client or are waiting for their networked application to work.

A while ago Scott Fluhrer suggested a way to make this more fair [4]. The puzzle we were discussing then was a little different, but his method can be adapted to the puzzle that is in the current draft. Instead of requiring just one solution, require the client to find several solutions. The puzzle can be made correspondingly easier. The expected time for finding one solution for a 20-bit puzzle should be the same as the time to find four solutions to an 18-bit puzzle, or 16 solutions to a 16-bit puzzle. The results in [2] and [3] bear this out.

While the expected time is pretty similar, the different between worst case and average case is much better:

    Test Parameters       20x1         18x4         16x16
    Average             1.3226669    1.3400430    1.3445518
    Min                 0.0001190    0.1013960    0.5210680
    Max                 7.9450660    3.9507410    3.0532380
    Standard Deviation  1.2873387    0.6568984    0.3353262
    5th percentile      0.0843579    0.4548676    0.8529980
    95th percentile     3.8978098    2.5217214    1.9443243
    95th / 5th perc.        46.2          5.5          2.3
    Max / Min            66765.3         39.0          5.9

In my opinion the right thing to do is to choose a multi-solution puzzle and adjust the difficulty accordingly. This adds a little complexity but provides a more consistent delay. There have been two arguments against it so far. 

1. The Initial request will become larger with multiple solutions. This is not necessarily true, since the initiator is still limited in the number of possible keys it can try. We can have PRF keys be all zeros except for the last 32 or 64 bits. This is good enough, because no current hardware is able to test 2^32 keys in a reasonable time, and 64-bits gives us protection for the foreseeable future. So a single result can be as low as 4 or 8 octets.

2. The Responder will need to spend more resources verifying more solutions. This is not necessarily true either, because the Responder can just pick one or two solutions at random and only verify them. Not that a single run of the HMAC function takes that many resources.

Yoav

[1] 2.4 GHz Intel Core i5. The CPU in a late 2013 13-inch MacBook Pro.
[2] https://trac.tools.ietf.org/wg/ipsecme/trac/raw-attachment/wiki/TempDocs/puzzle_stats.ods
[3] https://trac.tools.ietf.org/wg/ipsecme/trac/raw-attachment/wiki/TempDocs/puzzle_stats.xslx
[4] https://mailarchive.ietf.org/arch/msg/ipsec/30_tZekTBxdYPFVc6B1bXaEMtEQ

v2.23.0 | Report a Bug | By Email