[noise] DoS *is* a problem
Jason A. Donenfeld
Jason at zx2c4.com
Wed Nov 18 17:01:33 PST 2015
Hi folks,
I ran some numbers. Using a fairly optimized implementation, I've been
seeing how many handshakes per second I can squeeze out of a very
recent Core i7.
For Noise_IK we have two messages. For the second message, since
there's a decryption that must occur first, I can process (and
discard) packets faster than I can generate them and throw them at
localhost. However, the first message begins with an ECDH operation.
The results are not good.
193624 handshakes in 12290 ms
At a very minimum (ignoring transport overhead, framing, etc, and with
zero payload), this message is 96 bytes.
193624 handshakes / 12290 ms * 1000 ms/sec * 96 bytes / 131072
bytes/megabit = 11.5 megabits per second
A high-powered Noise endpoint is DoS-able with only 11.5 megabits per
second of bandwidth. I can launch a denial of service attack over a 4G
cellphone.
So asking again, with one last plea: is there a way we can protect
against this in the crypto? Perhaps utilizing the PSK somehow?
Regards,
Jason
More information about the Noise
mailing list