Re: Mitigating DDoS via Proof of Patience

good morning;

> On 2015-06-28, at 08:12, Manu Sporny <msporny@digitalbazaar.com> wrote:
> 
> Keeping the Credentials CG in the loop...
> 
> We're in the process of building out some of the Decentralized Hash
> Table functionality for the identifiers that we expect will be needed
> for credential portability. Part of this work requires that the
> decentralized identifiers should be protected from distributed denial of
> service attacks. We have created a new type of proof, called a "Proof of
> Patience", that helps mitigate against these sorts of attacks in a way
> that is more effective than proof of work.
> 
> The technology has been written up in IETF RFC form and published here:
> 
> https://tools.ietf.org/html/draft-sporny-http-proofs-01
> 
> Abstract
> 
>   For a client to access a particular resource on the Web, a server
>   must expend a certain amount of computational effort to respond to
>   the request.  In some cases this computational effort is sizeable and
>   the server may want to only respond to certain clients.  For example,
>   in a distributed denial-of-service attack, a server may require all
>   clients to expend a certain amount of resources via a client-run
>   proof-of-work algorithm to throttle the number of incoming requests
>   to a more manageable number.  This document details a new
>   authentication scheme for HTTP that may be used to request and
>   transmit proofs in HTTP headers.

there are two possible consequential distinctions between this and a 503 with a retry time

- the challenge/retry exchange carries state and could relieve the server of administering it.
- the protocol could entail a service guarantee. that is, it may be, that a server must not respond to  legitimate challenge response with another 401 challenge. is that the case?

are there other advantages?

best regards, from berlin,
---
james anderson | james@dydra.com | http://dydra.com