W3C home > Mailing lists > Public > public-credentials@w3.org > June 2015

Re: Mitigating DDoS via Proof of Patience

From: james anderson <james@dydra.com>
Date: Sun, 28 Jun 2015 08:27:48 +0000
Message-ID: <0000014e394791c0-9c002ce3-914a-449a-b59d-9d5ad0615bea-000000@eu-west-1.amazonses.com>
To: Credentials Community Group <public-credentials@w3.org>
good morning;

> On 2015-06-28, at 08:12, Manu Sporny <msporny@digitalbazaar.com> wrote:
> 
> Keeping the Credentials CG in the loop...
> 
> We're in the process of building out some of the Decentralized Hash
> Table functionality for the identifiers that we expect will be needed
> for credential portability. Part of this work requires that the
> decentralized identifiers should be protected from distributed denial of
> service attacks. We have created a new type of proof, called a "Proof of
> Patience", that helps mitigate against these sorts of attacks in a way
> that is more effective than proof of work.
> 
> The technology has been written up in IETF RFC form and published here:
> 
> https://tools.ietf.org/html/draft-sporny-http-proofs-01
> 
> Abstract
> 
>   For a client to access a particular resource on the Web, a server
>   must expend a certain amount of computational effort to respond to
>   the request.  In some cases this computational effort is sizeable and
>   the server may want to only respond to certain clients.  For example,
>   in a distributed denial-of-service attack, a server may require all
>   clients to expend a certain amount of resources via a client-run
>   proof-of-work algorithm to throttle the number of incoming requests
>   to a more manageable number.  This document details a new
>   authentication scheme for HTTP that may be used to request and
>   transmit proofs in HTTP headers.

there are two possible consequential distinctions between this and a 503 with a retry time

- the challenge/retry exchange carries state and could relieve the server of administering it.
- the protocol could entail a service guarantee. that is, it may be, that a server must not respond to  legitimate challenge response with another 401 challenge. is that the case?

are there other advantages?

best regards, from berlin,
---
james anderson | james@dydra.com | http://dydra.com
Received on Sunday, 28 June 2015 08:28:22 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:24 UTC