W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Ddos prevention for ssl

From: Erik Aronesty <erik@q32.com>
Date: Sat, 7 Aug 2021 18:13:05 -0700
Message-ID: <CAJowKg+6O90XYVYvN1WyPdEH10B3oPoLWcYp8ibhYk_d8LjKLw@mail.gmail.com>
To: HTTP Working Group <ietf-http-wg@w3.org>
SSL is increasingly required for website servers.

Well this is a good thing it does increase the burden on the server for

The amount of effort required to trigger key negotiations can be low
compared to the effort spent on the server.

An easy way to mitigate this would be for the server to require a small
proof of work.

A server can issue a nonce and a required proof level in order to proceed
with SSL negotiations.

Browsers could complete a proof of work within a millisecond or so.

In response to a denial of service attack the SSL layer could request an
increased proof of work for example.

Users of the website could then choose whether or not to comply based on
the difficulty and expected time of calculation.

A lightweight pow+authentication system like this could be a massive
deterrent for a denial of service attack.... effectively spreading the load
of the attack across all of the users of the site.

Received on Monday, 9 August 2021 08:01:42 UTC

This archive was generated by hypermail 2.4.0 : Monday, 9 August 2021 08:01:51 UTC