Firewall Wizards mailing list archives
Re: client puzzle protocol
From: "Michael B. Rash" <mbr () math umd edu>
Date: Sat, 19 Feb 2000 01:44:01 -0500 (EST)
On Fri, 18 Feb 2000, Gregory Stark wrote: : When a client tries to open a TCP connection the server hands him a puzzle : (via UDP so we do not care if they get it, they'll just have to ask again if : they don't). The client must solve the puzzle and send it back to the server : (via UDP so if the client becomes impatient it can send it again). If the : server receives a correctly completed puzzle, suitably fresh, it reallocates : the state and completes the TCP connection with the client. The server must : be able to cheaply discard bogus solutions so we cannot use public key : cryptography. : : Please explain where/why the server must retain state information which : makes it susceptible to DoS? Ahh, this is the crux of the problem. Reading the paper more carefully, the CPP specifies that when a server comes under attack, the following exchange takes place (Mi=i_th message, t=time, P=puzzle): Client Server -----Mi, "Puzzle?"---> <--"Yes, Puzzle",P,t--- ------ solution -----> verify bunch of things <------ Mi ------> connection established Note the the puzzle, P, does not depend on Mi. It only depends on the time t. Hence the puzzle solution can be verified independent of any state w.r.t. the requesting IP. They also say in the paper that one underlying assumption is that an attacker cannot saturate the network bandwidth, which seem to be a reasonable assumption. (If you take away soneones bandwidth completely then they win... no amount of cleverness with CPP or anything else would make a difference.) So the question simply comes down to "whether the server can farm out puzzles fast enough", instead of "whether the server can farm out puzzles and maintain state fast enough"... hmm... seems like it would be an advantage but it is certainly no longer TCP. --Michael B. Rash | "...the whole aim of practical politics is | to keep the populace alarmed (and hence http://www.math.umd.edu/~mbr | clamorous to be led to safety) by an | endless series of hobgoblins..." -Mencken
Current thread:
- Re: client puzzle protocol, (continued)
- Re: client puzzle protocol Michael B. Rash (Feb 17)
- Re: client puzzle protocol Paul Cardon (Feb 20)
- Re: client puzzle protocol Michael B. Rash (Feb 19)
- Re: client puzzle protocol Ge' Weijers (Feb 21)
- Re: client puzzle protocol daN. (Feb 24)
- Re: client puzzle protocol Todd Joseph (Feb 20)
- Re: client puzzle protocol Shafik Yaghmour (Feb 17)
- Re: client puzzle protocol Antonomasia (Feb 17)
- Re: client puzzle protocol Tommy Ward (Feb 19)
- Re: client puzzle protocol Gregory Stark (Feb 20)
- Re: client puzzle protocol Michael B. Rash (Feb 19)
- Re: client puzzle protocol Antonomasia (Feb 21)