Re: client puzzle protocol

[Antonomasia <ant () notatla demon co uk>]

From: "Gregory Stark" <greg () securityguides com>

>  From: "Antonomasia" <ant () notatla demon co uk>
>  > It may prevent spoofing, but I think massive parallel puzzling by large
>  > numbers of zombies with genuine unwanted connections will beat this and
>  > anything else of the kind.

> The RSA paper does in fact handle this. Similar ideas have been mentioned on
> the IPsec mailing list.

> The basic idea is to make the client save the state info that the server
> normally would save. ....

> Please explain where/why the server must retain state information which
> makes it susceptible to DoS?

That wasn't what I said.  Had you quoted me more fully you'd have noticed
that I mentioned how a client can be made to keep the state.
My point in the above paragraph is that the compute burden is placed on the
zombie machines, which can be recruited in their thousands, with the result
that many connections do get opened and do (after opening) use resources.

That the machines connecting (and solving the puzzles) are the many zombies
and not the attacker means that the cost is not borne by the attacker.  This
means a puzzle scheme that is fine for direct DoS is poor against DDoS.
I speculate that this remains true regardless of the nature of the puzzle.

--
##############################################################
# Antonomasia   ant () notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################