Re: [TLS] TLS client puzzles

Christian Huitema <huitema@microsoft.com> Wed, 29 June 2016 21:41 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 530CF12B056 for <tls@ietfa.amsl.com>; Wed, 29 Jun 2016 14:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.003
X-Spam-Level:
X-Spam-Status: No, score=-2.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yWRHLtM8pr9D for <tls@ietfa.amsl.com>; Wed, 29 Jun 2016 14:41:12 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0139.outbound.protection.outlook.com [207.46.100.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9170C12B04F for <tls@ietf.org>; Wed, 29 Jun 2016 14:41:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Z6t4i+/AevsNRCJv2AWJrUkVQT/hHKPOv3BvUVP5+bo=; b=ZRiCfp7lIkYSCMSEhJZrNiEztHR4WkC7IzlAsPBeO4mTS0PKFWcjeoMPvH1SLXWdr5rZCoJsSOd2Vz6qqbrbXH6zBMgRzivg349uUrCOFb2pliUNYcyQJwnVJrCAs1u3NWEmPRhFUGosnlXY8TdSr3zrIfCcDvtHt5F1wC2nJEU=
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.523.12; Wed, 29 Jun 2016 21:41:10 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0523.024; Wed, 29 Jun 2016 21:41:10 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Kyle Rose <krose@krose.org>, Brian Smith <brian@briansmith.org>
Thread-Topic: [TLS] TLS client puzzles
Thread-Index: AQHR0ifMJX0hxBbnB0iEPkhnsCR1RaAA078AgAAcrQCAAAXvUA==
Date: Wed, 29 Jun 2016 21:41:10 +0000
Message-ID: <DM2PR0301MB065578E6EF0073A6D5B6C0CEA8230@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <CALW8-7Kv01Dw3YBiW20SBEScWqkup53xpCjy8834PpLDkgb4cg@mail.gmail.com> <CAFewVt4uUA-3X3M-ZmREo81p+MZp+72g9CX1d1Z7bK8G8AL9Vg@mail.gmail.com> <CAJU8_nWoTXLspS2mhwZLZhXxEMOYsWatU4T+UH10B+d=TExFJg@mail.gmail.com>
In-Reply-To: <CAJU8_nWoTXLspS2mhwZLZhXxEMOYsWatU4T+UH10B+d=TExFJg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [2001:4898:80e8:3::110]
x-ms-office365-filtering-correlation-id: 5e1f01fd-066a-4171-d5e1-08d3a066162e
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0655; 6:3UlF87M3owN/ywDT08dm10jsqhLgNbXm2uDRtss7X0bpHZKsmFB3arVIfaHCjmpDq50txIeDAaCh9dFq3A1Ua8fNDhuxXt6eHU9cYf14JNdLtUYsIaZvCZSoqczFN0GTZ1Ui8Uv9WbAxHZqDgyxmIFfzBm8PWU4xNDzQvnze1mC0+6Q1ljTRoT7F+0cg8D+4XwIsGNM6WxbXxeWzNeJwmwlQI3KcGyHaEpTx8kCXkXfspxA/OmAxYhXX3vyCeAKn3PFbPSwmim41Xu9qaiibIy2qHRK69Dgh+rvNsoLtuxpuP8l+q+i6ZJyGeIXH+OFIBQqKH/LU3b1K+HcbCVg3lozTNgl4GxWMswEYRTNZfBo=; 5:IuZ/5Oe+KXJO6ZoYu48zE854aLNFEWPMBMlygYN3p87DAWh0ynO2Va3JHiQm7QoITlTu3w9nEOxZEGQfAYDEbzHD3UckB5RFwZUkaOlR8FyEZ0D+M8UXW/WuVUSMkocU/pYTsXBxhZ0qQi5o11++fQ==; 24:ruoaV9Xt+YweMQqh63azFfuEYMuox3PFhSnfuMMih3DybW0gIV2KQS0R/9U0mnw21SCZVPI7mHc2QExOEqnv9S3b/zYcVqtkt98Ols71orE=; 7:FH33HtFkS1Gda1a3e/6uJNnFEM8mi4rHLZmyTQJIcUSAT8vcgboEm/6+J5+Rjp0obvqTW+jpat4Xj5WvWJ+25iMYe4EFmG8RVURZmCh+0FRfW5KwArc/ibtXV+WklwNSrx2bDQKwJfoYyrr7UTjVPo1uaBPXn76nEqCnPoPOh2yi8TiPMCFgb0Tk9J3XKxt3J9ZSMpPkVmRAROXr5KtBgM8/fxknEwEpG9d2oZfdyFmDpREnXx2/1sp078g7OEkpk6p5BghdoZP4IxtN47fKR16gepESc3wXzUgOVCOMcoc=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0655;
x-microsoft-antispam-prvs: <DM2PR0301MB065570F13BD74D74FA53DC6BA8230@DM2PR0301MB0655.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:DM2PR0301MB0655; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0655;
x-forefront-prvs: 09888BC01D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(377454003)(189002)(24454002)(199003)(5003600100003)(86362001)(7696003)(8936002)(2906002)(2950100001)(6116002)(102836003)(2900100001)(7736002)(586003)(122556002)(106356001)(3280700002)(10400500002)(8990500004)(305945005)(5002640100001)(101416001)(11100500001)(5005710100001)(10290500002)(3660700001)(87936001)(7846002)(105586002)(50986999)(8676002)(97736004)(77096005)(9686002)(99286002)(106116001)(4326007)(74316001)(33656002)(189998001)(5001770100001)(86612001)(54356999)(68736007)(81166006)(76576001)(81156014)(76176999)(10090500001)(92566002)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0655; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jun 2016 21:41:10.7187 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0655
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PkprRF3hI5edQ2x0zunPv41xP4s>
Cc: Dmitry Khovratovich <khovratovich@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] TLS client puzzles
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jun 2016 21:41:14 -0000

On Wednesday, June 29, 2016 2:08 PM, Kyle Rose wrote:
>
> Raising the cost of requests has a similar problem in that you're punishing 
> every client, but in doing so you do allow all clients capable of absorbing 
> the increased cost (e.g., memory, computing power) to get access to the 
> resources they need if the user is willing to accept that cost (e.g., energy, 
> latency).

The obvious issue with the "proof of work" defense against DDOS is that the bot nets can do more work than many legitimate clients. The puzzle approach will cut off the least capable legitimate clients, such as old phones or IOT devices. It will not cut off the PC enrolled in a bot net. It will merely slow it down a little. But then, you could have the same effect by just delaying the response and enforcing one connection per client.

-- Christian Huitema