Re: [TLS] TLS client puzzles

Kyle Rose <> Thu, 30 June 2016 02:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 73EE112D5D8 for <>; Wed, 29 Jun 2016 19:00:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jp80ZWa8q7hi for <>; Wed, 29 Jun 2016 19:00:10 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 8B79512D593 for <>; Wed, 29 Jun 2016 19:00:10 -0700 (PDT)
Received: by with SMTP id m2so35364379qtd.1 for <>; Wed, 29 Jun 2016 19:00:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9HeOh/bwtHMWNkSaD6GDPe6QkUEt3SvOl04P+wGnwc0=; b=lDNGUoS8qGXhWQKO491wE9d1TXIzMw2fubnrlblFEzsfOYD/0FkT7KI3F2j/CokrjG hEk/FjoZaGdIMywPmeatBXVLSxi0g8qdEutpE2aK6cyJlzZHF9mzHKmKOry6ZImd4GvM X6A3vZxX6k8M6YaySIYh6bayrAbxRFc+Ra/Ek=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9HeOh/bwtHMWNkSaD6GDPe6QkUEt3SvOl04P+wGnwc0=; b=dojL0ZkDTgGZChXER3lV9mhf7km8V4EeenEaBD44069bxrWdOYqsk5nxUGnPDHBgmC XwwUtdk2tLFcf5vsl95UP5/ezKu44vk1w35r4fYjj/4JxzpzUtY2qSK9L63wreB/8CMF 3TVht+lEmN2nRriktN5Y03XCwK0TZNLhuZuKqnbRzuPMTdcHIWZbD5/74BDcDMVkwScS NVqTXJKuXJNJuqYR7ryqA61x1ezLg12v5ZRfayeFRQvIkxmUW8dmMuHJgW77C4AU7TJS afPWJ/WKC2h6jgF4SMkpg7uIDPT+/nldbvUmwTlQ+dSC8vY8xRjGedcrjHvx4Rzq3IAz /MXQ==
X-Gm-Message-State: ALyK8tJc5c2QIRRL+cqORE/UpU/nfHFbUBo8IrLNuEv5sw2T82q2HmENZl1QzxEmU8gkP7Gy+bttqZZhr8XZ6A==
X-Received: by with SMTP id r25mr19729016qta.3.1467252009679; Wed, 29 Jun 2016 19:00:09 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 29 Jun 2016 19:00:08 -0700 (PDT)
X-Originating-IP: [2001:470:1f07:121:7d87:9ebb:e00f:906b]
In-Reply-To: <>
References: <> <> <> <>
From: Kyle Rose <>
Date: Wed, 29 Jun 2016 22:00:08 -0400
Message-ID: <>
To: Christian Huitema <>
Content-Type: multipart/alternative; boundary="001a1147ea5ed55b180536753a35"
Archived-At: <>
Cc: "<>" <>, Dmitry Khovratovich <>
Subject: Re: [TLS] TLS client puzzles
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jun 2016 02:00:13 -0000

On Wed, Jun 29, 2016 at 5:41 PM, Christian Huitema <>

> On Wednesday, June 29, 2016 2:08 PM, Kyle Rose wrote:
> >
> > Raising the cost of requests has a similar problem in that you're
> punishing
> > every client, but in doing so you do allow all clients capable of
> absorbing
> > the increased cost (e.g., memory, computing power) to get access to the
> > resources they need if the user is willing to accept that cost (e.g.,
> energy,
> > latency).
> The obvious issue with the "proof of work" defense against DDOS is that
> the bot nets can do more work than many legitimate clients. The puzzle
> approach will cut off the least capable legitimate clients, such as old
> phones or IOT devices. It will not cut off the PC enrolled in a bot net. It
> will merely slow it down a little. But then, you could have the same effect
> by just delaying the response and enforcing one connection per client.

I agree with you that the above seems equivalent in theory, but in practice
it might not be feasible.

The biggest obstacle seems to be enforcing one connection per client. Let's
say rate limiting on a per-client basis doesn't work because many of your
clients are behind a NAT; or because the attacker is using IPv6 and
generates a ton of temporary addresses that make the situation
indistinguishable from many legitimate clients in the same subnet. So you
can either serve one (or a small N) of them at a time, or you drop that
restriction and allow a single client to mount an asymmetric attack.

Alternatively, what if you have lots of geographically-distributed servers
and can't share client rate limiting state among them quickly enough to
detect and blacklist attackers?

It's possible there are additional asymmetric attack vectors I'm not
thinking of, which is why I like this as a general defense against a class
of attacks. I mostly agree it's mostly worthless when you have one server
facing a botnet of 100,000 machines, but frankly that one server is a
sitting duck regardless of countermeasures. OTOH, what if you have 20,000
servers facing such a botnet? Client puzzles effectively become a mechanism
for enforcing distributed rate limiting, and could be used to dramatically
raise the cost of mounting such an attack.

I have to think a lot more about the IoT/resource-constrained client
problem, but I still don't think the existence of clients that would be  by
this scheme