From: "Gregory Stark" <gregat_private> > From: "Antonomasia" <antat_private> > > It may prevent spoofing, but I think massive parallel puzzling by large > > numbers of zombies with genuine unwanted connections will beat this and > > anything else of the kind. > The RSA paper does in fact handle this. Similar ideas have been mentioned on > the IPsec mailing list. > The basic idea is to make the client save the state info that the server > normally would save. .... > Please explain where/why the server must retain state information which > makes it susceptible to DoS? That wasn't what I said. Had you quoted me more fully you'd have noticed that I mentioned how a client can be made to keep the state. My point in the above paragraph is that the compute burden is placed on the zombie machines, which can be recruited in their thousands, with the result that many connections do get opened and do (after opening) use resources. That the machines connecting (and solving the puzzles) are the many zombies and not the attacker means that the cost is not borne by the attacker. This means a puzzle scheme that is fine for direct DoS is poor against DDoS. I speculate that this remains true regardless of the nature of the puzzle. -- ############################################################## # Antonomasia antat_private # # See http://www.notatla.demon.co.uk/ # ##############################################################
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:06:18 PDT