Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?

"Bingzheng Wu" <> Mon, 08 June 2015 11:05 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CC3801A1B8A for <>; Mon, 8 Jun 2015 04:05:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.6
X-Spam-Status: No, score=-0.6 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jIx5Fz67jNNn for <>; Mon, 8 Jun 2015 04:05:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CA5331A1B87 for <>; Mon, 8 Jun 2015 04:05:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=default; t=1433761556; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; bh=ujVd0lumJ074MFH6u1bxhdrxmV8JQtDwl2XY6N+uE38=; b=SGejZC8gZv5o1iE5EJC7x8WwdlXeOwfjRewfPFzcQ7YUPk8YZV1hk2Y2KE/pMuW7yXbHPYx4z97Thok8PH0gs6bgievuUoAyQhe0zoAI91EXQNvzD2R+pIN9yPgmDEFoYZxS26Hp49Vc8yHesTQrA+WjcedyP4+bjKhPp+IfNjg=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R841e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=r41g03025;; PH=DS; RN=2; RT=2; SR=0;
Received: from ali074145n( ip: by; Mon, 08 Jun 2015 19:05:49 +0800
From: "Bingzheng Wu" <>
To: "'Peter Gutmann'" <>, "'tls'" <>
References: <----3-------MPf3-$> <>
In-Reply-To: <>
Date: Mon, 08 Jun 2015 19:05:49 +0800
Message-ID: <008d01d0a1db$13db18e0$3b914aa0$>
MIME-Version: 1.0
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJM1bQwrAdL2mUOwfD9yh9pSzi+dQIFyyjFnJnaxDA=
Content-Language: zh-cn
Archived-At: <>
Subject: Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bingzheng Wu <>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Jun 2015 11:05:59 -0000

Thanks for your information. I didn't know this before.
However I don't think this match my original purpose.

The tls-auth requires the client and server have PSK. 
But I want an general anti-DDOS method.
For example, this method could be used by general web browser to visit any
web sites.

Please fix me if I misunderstand the OpenVPN's method.


> -----Original Message-----
> From: Peter Gutmann []
> Sent: Monday, June 08, 2015 5:20 PM
> To: Bingzheng Wu; tls
> Subject: RE: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?
> Bingzheng Wu <> writes:
> >So, could we add a challenge-response mode in TLS v1.3 to increase the
> attacker's cost ?
> You don't need anything that complex, OpenVPN has for a number of years
> supported a very effective way of dealing with this, all you need to do is
> formalise that.  It doesn't really need TLS 1.3 either, since you can do
it in a
> standard extension.  OpenVPN gives it the very misleading name tls-auth,
> just a use of a PSK to MAC incoming packets, so the client-hello is
> authenticated and dropped unless it has a valid MAC signature.  This has
> protected OpenVPN against a number of OpenSSL vulnerabilities (as well as
> generic port-scanning and similar), most notably Heartbleed, where any
> attempt to exploit the vuln just bounced off, because unless you have the
> key you can't get past even the first hello message.
> I started work on an RFC draft for this a while back, but it got shelved
> of conflicts over making it OpenVPN-compatible or not, it shouldn't be too
> work to dig it out and finish it (albeit in a non-OpenVPN-compatible
> Peter.=