Re: client puzzle protocol

[Antonomasia <ant () notatla demon co uk>]

"Michael B. Rash" <mbr () math umd edu>:

> scheme any different?  The server still must maintain state for each
> connection request to know if any subseqent response solved the crypto
> puzzle correctly... hence we can DoS such a server in exactly the same way
> as the normal SYN flood; by maxing out this state table.

This might be avoided by something like "An option-based implementation
of SYN cookies?" proposed here in December by Mikael Olsson
<mikael.olsson () enternet se>.

>                                                           In addition,
> even if there were a server-side limit on the number of connection
> requests made by a single client (which RSA does not seem to do) it would
> be easy to spoof packets from *many* different IP's in the same manner as
> the DDoS attacks and so this would be useless too.

It may prevent spoofing, but I think massive parallel puzzling by large
numbers of zombies with genuine unwanted connections will beat this and
anything else of the kind.

--
##############################################################
# Antonomasia   ant () notatla demon co uk                      #
# See http://www.notatla.demon.co.uk/                        #
##############################################################