IETF Logo Mail Archive

Re: Idea: DoS prevention by proof-of-work in Initial packet

Erik Nygren <erik+ietf@nygren.org> Sun, 04 September 2022 14:21 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42642C14F725 for <quic@ietfa.amsl.com>; Sun, 4 Sep 2022 07:21:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.409
X-Spam-Level:
X-Spam-Status: No, score=-6.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.248, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xb9T3fR45G7d for <quic@ietfa.amsl.com>; Sun, 4 Sep 2022 07:20:58 -0700 (PDT)
Received: from mail-pl1-f176.google.com (mail-pl1-f176.google.com [209.85.214.176]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2C9EC14F721 for <quic@ietf.org>; Sun, 4 Sep 2022 07:20:58 -0700 (PDT)
Received: by mail-pl1-f176.google.com with SMTP id p18so6248946plr.8 for <quic@ietf.org>; Sun, 04 Sep 2022 07:20:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=/LW3DOfK0IGRpBkYKReBFqODkFE0Kepd5SIyiaT3zx0=; b=qGE6H7Kooa68hN14eiEY+gMwLHb/Dx/DT7GZU+cOIxuqUYGLfJ29YMzv2iMYCIbaJ5 nQNPguYPkUzWWr3/J/hxwMe/6pQDieML3+BVyeSCvPuEixk6lttMf4Ch8hF/ZdOk4+xo tEXYeCsOnTwB+FJbLRE0h3sz9razWOxtlilHTXogW8DDL9hVPnVCvsWuIxGhT51HF9UZ yzeVhOynelxM1mxb28/JqgA/PBRmYS1UnDRMXgm5SQ5Zm1OPhksUiUDooZg2cP9u0Inw m4eTDO1AeIV1GsBpFjL5Lzn/a32soBcdOyyObYKhC+zDu3SjIRZ61BCVgp4IEZLNSESc /R8g==
X-Gm-Message-State: ACgBeo1yAwNG2znoCWEPuk7cUCXsQzdAcBR5LzxrYtmb1mxf2N/h9o2n 8G6zDpoIz9akgjhUBm5lBN14q9j/Ww1K74sttvsyFz8ShXaCGg==
X-Google-Smtp-Source: AA6agR6LicZgHydKXm+LIe8lDU5zrVDfyiA//lcubusb8P+mORjYnDVr7j8KpiRBBOXNGr/c872SASVHvUyaODvyqo8=
X-Received: by 2002:a17:902:ec88:b0:175:d8f:44b with SMTP id x8-20020a170902ec8800b001750d8f044bmr28033036plg.84.1662301257794; Sun, 04 Sep 2022 07:20:57 -0700 (PDT)
MIME-Version: 1.0
References: <1e3a443d-abcd-6cd4-7abd-5fa0c598baa9@nic.cz>
In-Reply-To: <1e3a443d-abcd-6cd4-7abd-5fa0c598baa9@nic.cz>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Sun, 04 Sep 2022 10:20:46 -0400
Message-ID: <CAKC-DJgAH=O0xh+0BNh-FOFKCboACvAD12fJSZrLprtrk3OAWg@mail.gmail.com>
Subject: Re: Idea: DoS prevention by proof-of-work in Initial packet
To: "libor.peltan" <libor.peltan=40nic.cz@dmarc.ietf.org>
Cc: quic@ietf.org
Content-Type: multipart/alternative; boundary="000000000000fb0af305e7daab5a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/qm5Jy93zfQqXa3D_fwV6N5GTERE>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Sep 2022 14:21:03 -0000

If you're looking for something stronger to also protect the TLS handshake,
we also had this draft a few years back that leveraged some TLS 1.3 features
and might either be adaptable to QUIC or "just work":

  https://datatracker.ietf.org/doc/html/draft-nygren-tls-client-puzzles-02

There was insufficient interest in it at the time, and that was even
when RSA signings were dominant.  Now with ECDSA key signings
being widely supported it's unclear how much it is needed vs
just a Retry approach.

     Erik



On Fri, Sep 2, 2022 at 2:59 AM libor.peltan <libor.peltan=
40nic.cz@dmarc.ietf.org> wrote:

> Hi all,
>
> I'm developing DNS-over-QUIC implementation in authoritative Knot DNS.
> I'm highly concerned about DoS resistance. According to our findings so
> far, the situation around authoritative DNS-over-QUIC (ADoQ) is following:
>
>   - The server can try to defend by requiring Retry packet, which
> prevents source address spoofing and too simple Initial packet floods,
> but also cripples legitimate connections by an additional RTT for the
> whole duration of attack (possibly all the time).
>
>   - A determined attacker can simply proceed with complete connections,
> including Retry packets. We have developed even the tools to perform
> such attacks.
>
>   - Opposed to plain DNS, the bottleneck is no longer any connection
> bandwidth. When both sides encrypt and decrypt all the packets, what
> matters is the CPU power.
>
>   - QUIC protocol seems to be balanced in the way that it gives no
> advantage to client or server side. If (and only if) the attacker has
> more CPU power available, it's able to exhaust the server computing
> resources, leading to DoS.
>
> I must admit I'm a "DNS guy" and I might have imperfect insight in QUIC
> nuances. Is there any tactic that would help defend the server against
> DoS? I always think that HTTP-over-QUIC servers must face the same
> issues. But it's also possible that they just rely on CDNs and stuff,
> which is not really appliable on common authoritative DNS.
>
> I looked also at Retry packet offload, but this does not make much sense
> for ADoQ.
>
> Thank you for any replies, suggestions and ideas!
>
> Libor
>
>
>

v2.23.0 | Report a Bug | By Email