- From: Erik Aronesty <erik@q32.com>
- Date: Tue, 10 Aug 2021 06:37:50 -0700
- To: Willy Tarreau <w@1wt.eu>
- Cc: Paul Vixie <paul@redbarn.org>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAJowKgLoL6BX6x=A7opvcuDm=7E47XF5Qh1sFzbTAVUtNvNyUw@mail.gmail.com>
In my study a proof of work vastly improved resilience to a ddos with a large number of seemingly valid handshake initializations On Mon, Aug 9, 2021, 9:25 PM Willy Tarreau <w@1wt.eu> wrote: > On Mon, Aug 09, 2021 at 11:30:23PM +0000, Paul Vixie wrote: > > On Mon, Aug 09, 2021 at 11:26:23AM +0200, Willy Tarreau wrote: > > > On Sat, Aug 07, 2021 at 06:13:05PM -0700, Erik Aronesty wrote: > > > > ... > > > > > > > > A lightweight pow+authentication system like this could be a massive > > > > deterrent for a denial of service attack.... effectively spreading > the load > > > > of the attack across all of the users of the site. > > > > > > In general that's what is commonly done at the application level to > > > slow down clients. In practice it's not *that* hard to protect against > > > TLS floods, you just have to count the number of handshakes per source > > > address and block offending ones. ... > > > > that mode of thought went out of fashion in 2009, when conficker had a > > population of 11*10^6 infected clients. so even if it were (which it is > not) > > reasonable for every web server to count handshakes per source address, > it > > wouldn't be all that useful for even one web server to do so. > > Quite the opposite, a proof of work has no effect on such a bot size, > while instead you can just fingerprint the handshake and reject those > that match above a threshold. The important thing here is counting > and reject outliers. Whether the key is a source address or a hash of > a handshake, the principle remains the same. > > Willy >
Received on Tuesday, 10 August 2021 13:39:15 UTC