Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?

CodesInChaos <codesinchaos@gmail.com> Mon, 08 June 2015 09:17 UTC

Return-Path: <codesinchaos@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFCE21B2DD5 for <tls@ietfa.amsl.com>; Mon, 8 Jun 2015 02:17:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y2pBeEIIlugx for <tls@ietfa.amsl.com>; Mon, 8 Jun 2015 02:17:23 -0700 (PDT)
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3282C1B2DCE for <tls@ietf.org>; Mon, 8 Jun 2015 02:17:23 -0700 (PDT)
Received: by igbsb11 with SMTP id sb11so52702045igb.0 for <tls@ietf.org>; Mon, 08 Jun 2015 02:17:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=GVfHGvEVZENG9w1OUX0x6pPywZnihiE3QwQ1bpWcjrc=; b=EXJcyHufB9HVKOmUIbycc0qyHJbECL+/hzlFRKQiOX3RxCahOFqNLXNNMtRzFPB1Ha iHgKqfYCxyb19bAJtQONYiFKCTP4lJKinlYK9IB7WI49vDg3+wW6yB6Y4iANV65BBzhv zk6N886AHrybLiVerJPDb070bwk0nxR3zG5OKuzRA603j1oKhksOJZIjpmz30vytBTqe Og2VRWgewC1/OjCBDX6lCfDIAGSaFEbQLN4T5+A/CMvwy+NEc2Sd6AbWMM1RVeg28GNR Pj69vhSHoSNzv/3qVnonMeDtEM4QCnkUZYpve1gUgA46wvxcfhYg3YdMl8Oyydjljp1d POOQ==
MIME-Version: 1.0
X-Received: by 10.50.39.105 with SMTP id o9mr12134779igk.39.1433755042598; Mon, 08 Jun 2015 02:17:22 -0700 (PDT)
Received: by 10.107.135.207 with HTTP; Mon, 8 Jun 2015 02:17:22 -0700 (PDT)
In-Reply-To: <----3-------MPf3-$0147073b-d557-427b-a8c7-d3dd80aef07b@alibaba-inc.com>
References: <----3-------MPf3-$0147073b-d557-427b-a8c7-d3dd80aef07b@alibaba-inc.com>
Date: Mon, 8 Jun 2015 11:17:22 +0200
Message-ID: <CAK9dnSzgj=fchs8Zv=+ehmgttEMTNYe3nKHBynPKVgMQ9n+JUw@mail.gmail.com>
From: CodesInChaos <codesinchaos@gmail.com>
To: Bingzheng Wu <bingzheng.wbz@alibaba-inc.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Ev6-kzcgX-y1jllomUNotoREQJg>
Cc: tls <tls@ietf.org>
Subject: Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 09:17:25 -0000

Not sure if this is a practical concern. If an attacker has so many
computers/IPs that IP blacklisting doesn't help anymore (TCP makes IP
spoofing difficult), they probably could simply flood the victim's
connection instead of relying on expensive crypto operations for DoS.

Your proposed proof-of-work doesn't look ideal either, since the cost
is fixed at a low value. Some variant of hashcash is clearly better.