client puzzle protocol

From: Michael B. Rash (mbrat_private)
Date: Mon Feb 14 2000 - 20:36:53 PST

Next message: Ryan Russell: "Re: mitigating the lack of a firewall"

Previous message: Bill Stout: "RE: Citrix ICA through port 80?"
Next in thread: daN.: "Re: client puzzle protocol"
Reply: daN.: "Re: client puzzle protocol"
Reply: Shafik Yaghmour: "Re: client puzzle protocol"
Reply: Antonomasia: "Re: client puzzle protocol"
Reply: Michael B. Rash: "Re: client puzzle protocol"
Reply: Michael B. Rash: "Re: client puzzle protocol"
Reply: Michael B. Rash: "Re: client puzzle protocol"
Reply: Tommy Ward: "Re: client puzzle protocol"
Reply: Gregory Stark: "Re: client puzzle protocol"
Reply: Paul Cardon: "Re: client puzzle protocol"
Reply: Todd Joseph: "Re: client puzzle protocol"
Reply: Antonomasia: "Re: client puzzle protocol"
Reply: Ge' Weijers: "Re: client puzzle protocol"
Reply: daN.: "Re: client puzzle protocol"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.rsasecurity.com/rsalabs/staff/ajuels/papers/clientpuzzles.pdf 

So basically RSA seems to think that this technology could be used to help
stop the recent DoS attacks that gained so much media attention, but
either I am not understanding something, or they have made a mistake in
their architecture.

The technology can be summarized by the following excerpt from the
paper's abstract: 

"...TCP SYN flooding is an example of a connection depletion attack in
which an attacker... <snip>.  We introduce a countermeasure
that we refer to as a client puzzle protocol.  When a server comes under
attack, it distributes small cryptographic puzzles to clients making
service requests.  To complete its request, a client must solve its puzzle
correctly..."

OK.  First of all, "distributes puzzles" implies that the attacking
machine is listening for them in the first place, which most likely it 
will not be (the TCP SYN packets would most likely be spoofed 
anyway... where do they think they are going to "send the puzzle"?).  An
attacking machine simply needs to create a bunch of SYN packets and get
them to the target, who will then begin generating the corresponding
SYN-ACK packets thereby overflowing its connection buffers.  That's
it... that is the whole attack.  The only advantage in doing something
like the client puzzle protocol would be to limit the number of
*legitimate* connections that a machine could make since the 
computationally expensive cryptographic puzzles would start eating lots of
compute cycles if it tried to initiate 10,000 connections.  If I'm an
attacker I don't care about legitimate connections... I don't even care if
I see *any* packet return from the target.

What am I missing?  How would the CPP help to prevent DoS attacks?

(Note of course that we are talking about both a client and server side 
modification to make all of this possible in the first place... sounds
like an upcoming product from RSA).


--Mike                        | "...the whole aim of practical politics is
                              | to keep the populace alarmed (and hence
http://www.math.umd.edu/~mbr  | clamorous to be led to safety) by an
                              | endless series of hobgoblins..."  -Mencken

Next message: Ryan Russell: "Re: mitigating the lack of a firewall"
Previous message: Bill Stout: "RE: Citrix ICA through port 80?"
Next in thread: daN.: "Re: client puzzle protocol"
Reply: daN.: "Re: client puzzle protocol"
Reply: Shafik Yaghmour: "Re: client puzzle protocol"
Reply: Antonomasia: "Re: client puzzle protocol"
Reply: Michael B. Rash: "Re: client puzzle protocol"
Reply: Michael B. Rash: "Re: client puzzle protocol"
Reply: Michael B. Rash: "Re: client puzzle protocol"
Reply: Tommy Ward: "Re: client puzzle protocol"
Reply: Gregory Stark: "Re: client puzzle protocol"
Reply: Paul Cardon: "Re: client puzzle protocol"
Reply: Todd Joseph: "Re: client puzzle protocol"
Reply: Antonomasia: "Re: client puzzle protocol"
Reply: Ge' Weijers: "Re: client puzzle protocol"
Reply: daN.: "Re: client puzzle protocol"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:35 PDT