Re: Ddos prevention for ssl

On Mon, Aug 09, 2021 at 11:26:23AM +0200, Willy Tarreau wrote:
> On Sat, Aug 07, 2021 at 06:13:05PM -0700, Erik Aronesty wrote:
> > ...
> > 
> > A lightweight pow+authentication system like this could be a massive
> > deterrent for a denial of service attack.... effectively spreading the load
> > of the attack across all of the users of the site.
> 
> In general that's what is commonly done at the application level to
> slow down clients. In practice it's not *that* hard to protect against
> TLS floods, you just have to count the number of handshakes per source
> address and block offending ones. ...

that mode of thought went out of fashion in 2009, when conficker had a
population of 11*10^6 infected clients. so even if it were (which it is not)
reasonable for every web server to count handshakes per source address, it
wouldn't be all that useful for even one web server to do so.

> But what you're proposing here (and in the other unrelated H2 thread that
> you hijacked) needs to be discussed in the TLS group, not the HTTP group,
> as it has nothing to do with HTTP at all.

agreed as to this.

-- 
Paul Vixie

Received on Monday, 9 August 2021 23:30:55 UTC