Re: [TLS] TLS client puzzles
Kyle Rose <krose@krose.org> Thu, 30 June 2016 02:00 UTC
Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73EE112D5D8 for <tls@ietfa.amsl.com>; Wed, 29 Jun 2016 19:00:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jp80ZWa8q7hi for <tls@ietfa.amsl.com>; Wed, 29 Jun 2016 19:00:10 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B79512D593 for <tls@ietf.org>; Wed, 29 Jun 2016 19:00:10 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id m2so35364379qtd.1 for <tls@ietf.org>; Wed, 29 Jun 2016 19:00:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9HeOh/bwtHMWNkSaD6GDPe6QkUEt3SvOl04P+wGnwc0=; b=lDNGUoS8qGXhWQKO491wE9d1TXIzMw2fubnrlblFEzsfOYD/0FkT7KI3F2j/CokrjG hEk/FjoZaGdIMywPmeatBXVLSxi0g8qdEutpE2aK6cyJlzZHF9mzHKmKOry6ZImd4GvM X6A3vZxX6k8M6YaySIYh6bayrAbxRFc+Ra/Ek=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9HeOh/bwtHMWNkSaD6GDPe6QkUEt3SvOl04P+wGnwc0=; b=dojL0ZkDTgGZChXER3lV9mhf7km8V4EeenEaBD44069bxrWdOYqsk5nxUGnPDHBgmC XwwUtdk2tLFcf5vsl95UP5/ezKu44vk1w35r4fYjj/4JxzpzUtY2qSK9L63wreB/8CMF 3TVht+lEmN2nRriktN5Y03XCwK0TZNLhuZuKqnbRzuPMTdcHIWZbD5/74BDcDMVkwScS NVqTXJKuXJNJuqYR7ryqA61x1ezLg12v5ZRfayeFRQvIkxmUW8dmMuHJgW77C4AU7TJS afPWJ/WKC2h6jgF4SMkpg7uIDPT+/nldbvUmwTlQ+dSC8vY8xRjGedcrjHvx4Rzq3IAz /MXQ==
X-Gm-Message-State: ALyK8tJc5c2QIRRL+cqORE/UpU/nfHFbUBo8IrLNuEv5sw2T82q2HmENZl1QzxEmU8gkP7Gy+bttqZZhr8XZ6A==
X-Received: by 10.200.46.25 with SMTP id r25mr19729016qta.3.1467252009679; Wed, 29 Jun 2016 19:00:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.80.66 with HTTP; Wed, 29 Jun 2016 19:00:08 -0700 (PDT)
X-Originating-IP: [2001:470:1f07:121:7d87:9ebb:e00f:906b]
In-Reply-To: <DM2PR0301MB065578E6EF0073A6D5B6C0CEA8230@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <CALW8-7Kv01Dw3YBiW20SBEScWqkup53xpCjy8834PpLDkgb4cg@mail.gmail.com> <CAFewVt4uUA-3X3M-ZmREo81p+MZp+72g9CX1d1Z7bK8G8AL9Vg@mail.gmail.com> <CAJU8_nWoTXLspS2mhwZLZhXxEMOYsWatU4T+UH10B+d=TExFJg@mail.gmail.com> <DM2PR0301MB065578E6EF0073A6D5B6C0CEA8230@DM2PR0301MB0655.namprd03.prod.outlook.com>
From: Kyle Rose <krose@krose.org>
Date: Wed, 29 Jun 2016 22:00:08 -0400
Message-ID: <CAJU8_nWnr60PpBiKsEmvkL47YE8BoKTwjraj62ETB7_=W9pvKQ@mail.gmail.com>
To: Christian Huitema <huitema@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1147ea5ed55b180536753a35"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kWfK0A_mVTYKJ5zpPL0gbH6vnWg>
Cc: "<tls@ietf.org>" <tls@ietf.org>, Dmitry Khovratovich <khovratovich@gmail.com>
Subject: Re: [TLS] TLS client puzzles
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2016 02:00:13 -0000
On Wed, Jun 29, 2016 at 5:41 PM, Christian Huitema <huitema@microsoft.com> wrote: > On Wednesday, June 29, 2016 2:08 PM, Kyle Rose wrote: > > > > Raising the cost of requests has a similar problem in that you're > punishing > > every client, but in doing so you do allow all clients capable of > absorbing > > the increased cost (e.g., memory, computing power) to get access to the > > resources they need if the user is willing to accept that cost (e.g., > energy, > > latency). > > The obvious issue with the "proof of work" defense against DDOS is that > the bot nets can do more work than many legitimate clients. The puzzle > approach will cut off the least capable legitimate clients, such as old > phones or IOT devices. It will not cut off the PC enrolled in a bot net. It > will merely slow it down a little. But then, you could have the same effect > by just delaying the response and enforcing one connection per client. > I agree with you that the above seems equivalent in theory, but in practice it might not be feasible. The biggest obstacle seems to be enforcing one connection per client. Let's say rate limiting on a per-client basis doesn't work because many of your clients are behind a NAT; or because the attacker is using IPv6 and generates a ton of temporary addresses that make the situation indistinguishable from many legitimate clients in the same subnet. So you can either serve one (or a small N) of them at a time, or you drop that restriction and allow a single client to mount an asymmetric attack. Alternatively, what if you have lots of geographically-distributed servers and can't share client rate limiting state among them quickly enough to detect and blacklist attackers? It's possible there are additional asymmetric attack vectors I'm not thinking of, which is why I like this as a general defense against a class of attacks. I mostly agree it's mostly worthless when you have one server facing a botnet of 100,000 machines, but frankly that one server is a sitting duck regardless of countermeasures. OTOH, what if you have 20,000 servers facing such a botnet? Client puzzles effectively become a mechanism for enforcing distributed rate limiting, and could be used to dramatically raise the cost of mounting such an attack. I have to think a lot more about the IoT/resource-constrained client problem, but I still don't think the existence of clients that would be by this scheme Kyle
- Re: [TLS] TLS client puzzles Erik Nygren
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Bill Cox
- Re: [TLS] TLS client puzzles Peter Gutmann
- Re: [TLS] TLS client puzzles Dave Garrett
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Hannes Tschofenig
- Re: [TLS] TLS client puzzles Hannes Tschofenig
- Re: [TLS] TLS client puzzles Tony Arcieri
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Salz, Rich
- Re: [TLS] TLS client puzzles Hannes Tschofenig
- Re: [TLS] TLS client puzzles David Adrian
- Re: [TLS] TLS client puzzles Yoav Nir
- Re: [TLS] TLS client puzzles Valery Smyslov
- Re: [TLS] TLS client puzzles Christian Huitema
- Re: [TLS] TLS client puzzles Geoffrey Keating
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Christian Huitema
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Brian Smith
- [TLS] TLS client puzzles Dmitry Khovratovich
- Re: [TLS] TLS client puzzles Bill Cox