Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?

Ilari Liusvaara <> Mon, 08 June 2015 09:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id D28C71B2DDA for <>; Mon, 8 Jun 2015 02:32:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.501
X-Spam-Status: No, score=-0.501 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id I5l2GjDR7Znh for <>; Mon, 8 Jun 2015 02:31:58 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 324101B2DF1 for <>; Mon, 8 Jun 2015 02:31:58 -0700 (PDT)
Received: from LK-Perkele-VII ( []) by (Postfix) with ESMTP id 061281A25E4; Mon, 8 Jun 2015 12:31:56 +0300 (EEST)
Date: Mon, 8 Jun 2015 12:31:55 +0300
From: Ilari Liusvaara <>
To: Bingzheng Wu <>
Message-ID: <20150608093155.GA24860@LK-Perkele-VII>
References: <----3-------MPf3-$>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <----3-------MPf3-$>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <>
Archived-At: <>
Cc: tls <>
Subject: Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jun 2015 09:32:01 -0000

On Mon, Jun 08, 2015 at 04:46:18PM +0800, Bingzheng Wu wrote:
> Hi all,
> TLS is susceptible to DDOS attack.
> In TLS v1.3, attackers can generate ClientHello and
> ClientKeyshare messages easily, while the server has to
> consume large amounts of CPU doing asymmetric crypto operations
> to generate ServerKeyshare and ServerCertificateVerify messages.

Note that this type of attack already works in TLS 1.2.

> So, could we add a challenge-response mode in TLS v1.3 to
> increase the attacker's cost ?

There is already an issue about this (but given nature of that
issue, it should be discussed on this ML, especially as it
still seems to be open).

> The mode is disable in usual.
> If the server think it's under attack (e.g. >1000 qps), it
> could enable this mode by responding a HelloRetryRequest (or
> a new type) message to the client with a challenge.
> The client receiving the challenge must solve the challenge
> which is expensive in CPU, and continue the handshake by
> carrying the challenge's answer.

One has to be careful that this kind of thing doesn't introduce
security issues. E.g. Proper implementations can not restart
handshake, and repeating yourself is legendary source of bugs.

> For example, server could make the challenge by encrypting an
> random number by a RSA public key (which is short), and send
> the private key (which is long) and cipher text to client.

The usual way things like this are done is via hashes.

TLS13 github issue #9 has link to a ML post describing one scheme: