Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?

"Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com> Mon, 08 June 2015 10:59 UTC

Return-Path: <bingzheng.wbz@alibaba-inc.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49DB81A1A37 for <tls@ietfa.amsl.com>; Mon, 8 Jun 2015 03:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ft0ZrRmeelMi for <tls@ietfa.amsl.com>; Mon, 8 Jun 2015 03:59:28 -0700 (PDT)
Received: from out4133-18.mail.aliyun.com (out4133-18.mail.aliyun.com [42.120.133.18]) by ietfa.amsl.com (Postfix) with ESMTP id EF9D91A008F for <tls@ietf.org>; Mon, 8 Jun 2015 03:59:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alibaba-inc.com; s=default; t=1433761167; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; bh=/YLDd0n9seoQ9uNLpeydMZvnQLyelRJBceeIiApkyQ4=; b=olrnuO/ahTAIIcWGTeR63vM3BelvDyHqfKJqJ3/Jstv2rGyUsnJs5hklQPR49Jwh2sp9tSiTLT98mIvVVtOaWkBtwYO+qfdX2icxA9qWN2lzlKu7aiRe8Wm6XD3wgoAn1C2WNKSM1yDQApcANkumiUttkRZAkeADj8LIvAiIIwM=
X-Alimail-AntiSpam: AC=PASS; BC=-1|-1; BR=01201311R181e4; FP=0|-1|-1|-1|0|-1|-1|-1; HT=r41g03020; MF=bingzheng.wbz@alibaba-inc.com; PH=DS; RN=2; RT=2; SR=0;
Received: from ali074145n(mailfrom:bingzheng.wbz@alibaba-inc.com ip:42.120.74.158) by smtp.aliyun-inc.com(127.0.0.1); Mon, 08 Jun 2015 18:59:21 +0800
From: "Bingzheng Wu" <bingzheng.wbz@alibaba-inc.com>
To: "'CodesInChaos'" <codesinchaos@gmail.com>
References: <----3-------MPf3-$0147073b-d557-427b-a8c7-d3dd80aef07b@alibaba-inc.com> <CAK9dnSzgj=fchs8Zv=+ehmgttEMTNYe3nKHBynPKVgMQ9n+JUw@mail.gmail.com>
In-Reply-To: <CAK9dnSzgj=fchs8Zv=+ehmgttEMTNYe3nKHBynPKVgMQ9n+JUw@mail.gmail.com>
Date: Mon, 08 Jun 2015 18:59:21 +0800
Message-ID: <008c01d0a1da$2c9921c0$85cb6540$@alibaba-inc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJM1bQwrAdL2mUOwfD9yh9pSzi+dQJ00LiZnJZeLnA=
Content-Language: zh-cn
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/iT-3Bj94j7uDsUk3Xl2pC6tjCZY>
Cc: 'tls' <tls@ietf.org>
Subject: Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Bingzheng Wu <bingzheng.wbz@alibaba-inc.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 10:59:29 -0000

I talked about TLS level DDOS only, but not TCP level DDOS. I think they focus on different aspects.

I learned about the hash way of challenge from the link in Ilari's mail. It's better than my proposed way indeed. thanks.


> -----Original Message-----
> From: CodesInChaos [mailto:codesinchaos@gmail.com]
> Sent: Monday, June 08, 2015 5:17 PM
> To: Bingzheng Wu
> Cc: tls
> Subject: Re: [TLS] add challenge in TLS v1.3 to prevent DDOS attack?
> 
> Not sure if this is a practical concern. If an attacker has so many computers/IPs
> that IP blacklisting doesn't help anymore (TCP makes IP spoofing difficult), they
> probably could simply flood the victim's connection instead of relying on
> expensive crypto operations for DoS.
> 
> Your proposed proof-of-work doesn't look ideal either, since the cost is fixed at
> a low value. Some variant of hashcash is clearly better.