- From: Willy Tarreau <w@1wt.eu>
- Date: Tue, 10 Aug 2021 06:25:29 +0200
- To: Paul Vixie <paul@redbarn.org>
- Cc: Erik Aronesty <erik@q32.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Mon, Aug 09, 2021 at 11:30:23PM +0000, Paul Vixie wrote: > On Mon, Aug 09, 2021 at 11:26:23AM +0200, Willy Tarreau wrote: > > On Sat, Aug 07, 2021 at 06:13:05PM -0700, Erik Aronesty wrote: > > > ... > > > > > > A lightweight pow+authentication system like this could be a massive > > > deterrent for a denial of service attack.... effectively spreading the load > > > of the attack across all of the users of the site. > > > > In general that's what is commonly done at the application level to > > slow down clients. In practice it's not *that* hard to protect against > > TLS floods, you just have to count the number of handshakes per source > > address and block offending ones. ... > > that mode of thought went out of fashion in 2009, when conficker had a > population of 11*10^6 infected clients. so even if it were (which it is not) > reasonable for every web server to count handshakes per source address, it > wouldn't be all that useful for even one web server to do so. Quite the opposite, a proof of work has no effect on such a bot size, while instead you can just fingerprint the handshake and reject those that match above a threshold. The important thing here is counting and reject outliers. Whether the key is a source address or a hash of a handshake, the principle remains the same. Willy
Received on Tuesday, 10 August 2021 04:25:57 UTC