[TLS] add challenge in TLS v1.3 to prevent DDOS attack?

"Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com> Mon, 08 June 2015 08:46 UTC

Return-Path: <bingzheng.wbz@alibaba-inc.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 07D2F1B2D91 for <tls@ietfa.amsl.com>; Mon, 8 Jun 2015 01:46:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id vrAoB5kganFm for <tls@ietfa.amsl.com>; Mon, 8 Jun 2015 01:46:27 -0700 (PDT)
Received: from out4133-18.mail.aliyun.com (out4133-18.mail.aliyun.com []) by ietfa.amsl.com (Postfix) with ESMTP id 8D0A91B2D75 for <tls@ietf.org>; Mon, 8 Jun 2015 01:46:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1433753185; h=Date:From:To:Message-ID:Subject:MIME-Version:Content-Type; bh=mL6Zeq9i+zJ2b33lmCjNN8au6G+gxGLCxztsxSfEkUs=; b=SJn7s9LHSXN8rpr+gGsXWQsPETnp4xh4Eq1LZMOyHSkvJs8HoFr/DPpz3+NzPQnafYfuUE33xEoItV8S1xVSGHNjDq5NRZhpyzMPNJLyqORJbqkiPzICaW0rz6i9hrtZqWlOTXH2tvzx84HJUAFiKtuJVWrlnxLiAzakwMQpssI=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R431e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=r46d02003; MF=bingzheng.wbz@alibaba-inc.com; PH=DW; RN=1; RT=1; SR=0;
Received: from WS-web (bingzheng.wbz@alibaba-inc.com[]) by r41g03021.xy2.aliyun.com at Mon, 08 Jun 2015 16:46:18 +0800
Date: Mon, 08 Jun 2015 16:46:18 +0800
From: "Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com>
To: "tls" <tls@ietf.org>
Message-ID: <----3-------MPf3-$0147073b-d557-427b-a8c7-d3dd80aef07b@alibaba-inc.com>
X-Mailer: Alimail-Mailagent revision 2695336
MIME-Version: 1.0
x-aliyun-mail-creator: W4_2696684_IChTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4xOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzQzLjAuMjM1Ny44MSBTYWZhcmkvNTM3LjM2jM
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/1qKY_QYudTHR6kNcOl8Js7ZutjQ>
Subject: [TLS] =?utf-8?q?add_challenge_in_TLS_v1=2E3_to_prevent_DDOS_attac?= =?utf-8?q?k=3F?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bingzheng Wu <bingzheng.wbz@alibaba-inc.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 08:46:28 -0000

Hi all,

TLS is susceptible to DDOS attack.
In TLS v1.3, attackers can generate ClientHello and ClientKeyshare messages easily,
while the server has to consume large amounts of CPU doing asymmetric crypto operations to generate ServerKeyshare and ServerCertificateVerify messages.

So, could we add a challenge-response mode in TLS v1.3 to increase the attacker's cost ?

The mode is disable in usual.
If the server think it's under attack (e.g. >1000 qps), it could enable this mode by responding a HelloRetryRequest (or a new type) message to the client with a challenge.
The client receiving the challenge must solve the challenge which is expensive in CPU, and continue the handshake by carrying the challenge's answer.

For example, server could make the challenge by encrypting an random number by a RSA public key (which is short), and send the private key (which is long) and cipher text to client.

This challenge mode may bring extra CPU consumption for normal clients when the server is under attack, but it can reduce the attack's influence for server, to prevent DDOS attack.

Obviously, this mode must be a part of TLS's main body, while being an extension dose not work.

Is this a feasible idea?

Bingzheng Wu