http://www.rsasecurity.com/rsalabs/staff/ajuels/papers/clientpuzzles.pdf So basically RSA seems to think that this technology could be used to help stop the recent DoS attacks that gained so much media attention, but either I am not understanding something, or they have made a mistake in their architecture. The technology can be summarized by the following excerpt from the paper's abstract: "...TCP SYN flooding is an example of a connection depletion attack in which an attacker... <snip>. We introduce a countermeasure that we refer to as a client puzzle protocol. When a server comes under attack, it distributes small cryptographic puzzles to clients making service requests. To complete its request, a client must solve its puzzle correctly..." OK. First of all, "distributes puzzles" implies that the attacking machine is listening for them in the first place, which most likely it will not be (the TCP SYN packets would most likely be spoofed anyway... where do they think they are going to "send the puzzle"?). An attacking machine simply needs to create a bunch of SYN packets and get them to the target, who will then begin generating the corresponding SYN-ACK packets thereby overflowing its connection buffers. That's it... that is the whole attack. The only advantage in doing something like the client puzzle protocol would be to limit the number of *legitimate* connections that a machine could make since the computationally expensive cryptographic puzzles would start eating lots of compute cycles if it tried to initiate 10,000 connections. If I'm an attacker I don't care about legitimate connections... I don't even care if I see *any* packet return from the target. What am I missing? How would the CPP help to prevent DoS attacks? (Note of course that we are talking about both a client and server side modification to make all of this possible in the first place... sounds like an upcoming product from RSA). --Mike | "...the whole aim of practical politics is | to keep the populace alarmed (and hence http://www.math.umd.edu/~mbr | clamorous to be led to safety) by an | endless series of hobgoblins..." -Mencken
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:03:35 PDT