Re: PoW (Re: Attack research on HTTP/2 implementations)

a flexible, intelligent protocol could make it infeasible for an
attacker to bring down a server, while allowing regular traffic to
proceed virtually unhindered

but i'm arguing with people who have conflicts of interest, so i'm done.

On Fri, Sep 3, 2021 at 11:41 AM Paul Vixie <paul@redbarn.org> wrote:
>
> On Fri Sep 3, 2021 at 11:54 AM UTC, Erik Aronesty wrote:
> > > Proof of work ...
>
> i pronounce the acronym PoW differently, "proof of waste". perhaps it's
> not as wasteful if the computations are in the goldilocks zone, easy for
> actual clients, difficult for malicious or fake clients. but we'd be
> arguing matters of degree (how wasteful?) not kind (it's always wasteful.)
>
> > assuming the attacker has non-infinite resources, a 10x increase in
> > computation on the client during an attack results in a 10% increase
> > in overall computation
>
> attackers have elastic resources, they'll steal as much as they need. if
> we try to stop them with proof of waste, they will use botnets as necessary
> to waste as much as we demand. computation is not a rare or valuable asset.
> i do not predict a goldilocks zone in the latency requirements for PoW
> such that we can distinguish distributed vs. local computation by a client.
>
> consider captcha, which tries to rely on human "computation". attackers
> have at various times screen-scraped the captcha demand and shown it to a
> user of some "free porn" site they operate, and then copy out the clicks
> from that proxy-human, and use them to enter the original protected site.
>
> security engineering is not the same as theory or whiteboarding. at a
> minimum, it's necessary to understand the attacker's motives and
> alternatives before targeting them for a cost you hope is "too high".
>
> vixie

Received on Friday, 3 September 2021 15:58:37 UTC