"Michael B. Rash" <mbrat_private>: > scheme any different? The server still must maintain state for each > connection request to know if any subseqent response solved the crypto > puzzle correctly... hence we can DoS such a server in exactly the same way > as the normal SYN flood; by maxing out this state table. This might be avoided by something like "An option-based implementation of SYN cookies?" proposed here in December by Mikael Olsson <mikael.olssonat_private>. > In addition, > even if there were a server-side limit on the number of connection > requests made by a single client (which RSA does not seem to do) it would > be easy to spoof packets from *many* different IP's in the same manner as > the DDoS attacks and so this would be useless too. It may prevent spoofing, but I think massive parallel puzzling by large numbers of zombies with genuine unwanted connections will beat this and anything else of the kind. -- ############################################################## # Antonomasia antat_private # # See http://www.notatla.demon.co.uk/ # ##############################################################
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:04:41 PDT