W3C home > Mailing lists > Public > ietf-http-wg@w3.org > July to September 2021

Re: PoW (Re: Attack research on HTTP/2 implementations)

From: Erik Aronesty <erik@q32.com>
Date: Fri, 3 Sep 2021 07:54:53 -0400
Message-ID: <CAJowKgJH26KqOt0VRzmktfQk58eEG7zKY324uMDwbRDcPyFQaQ@mail.gmail.com>
To: Nick Harper <ietf@nharper.org>
Cc: Erik Nygren <erik@nygren.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Martin Thomson <mt@lowentropy.net>, "ietf-http-wg@w3.org Group" <ietf-http-wg@w3.org>
> Proof of work requires the client to do additional work for the sake of doing work. The server still has to do the same amount of work it would have done had the client not done the proof of work (and in fact needs to do slightly more work to verify the proof of work). This is not a zero-sum game where some work is moved from the server to the client; it is a net increase in the amount of work done.

yes

assuming the attacker can only afford 10000 (arbitrary fixed number)
computations, before proof of work:

    attacker creates 10000 connections, server performs 10000
cryptographic computations
    total 10000 computations

after proof of work:

    attacker creates 1000 connections, requiring 10 computations per
connection, server performs 1000 cryptographic computations
    total 11000 computations


assuming the attacker has non-infinite resources, a 10x increase in
computation on the client during an attack results in a 10% increase
in overall computation

a very minor proof of work vastly mitigates attacks, while negligibly
increasing the work done by clients

of course companies like google wouldn't like this.... they rely on
machines automatically connecting to billions of sites, so i
understand why you might object against defenses that help mitigate
automation

>> is a good example of a protocol where proof of work clearly saves more
>> energy than it expends - even though the analysis is not trivial.
>
>
> [citation needed]

really?

if you want, but this is a nascent field - like i said before, the
analysis is not trivial, and it's hard to know what the long term
effects of a bitcoin-integrated society would be.

https://assets.ctfassets.net/2d5q1td6cyxq/2D2BnksJjavw4a6SUvAPwZ/c42a9e3a520b0cc3b230cda3b43eead5/BCEI_White_Paper_.pdf

it's also unrelated to the more important point... that proof of work
is an excellent ddos deterrent
Received on Friday, 3 September 2021 11:55:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 3 September 2021 11:55:20 UTC