[noise] DoS *is* a problem

Michael Hamburg mike at shiftleft.org
Thu Nov 19 11:55:27 PST 2015


I agree with Trevor that you need something more than a MAC.  Possibly a nonce (eg, the ephemeral key), a MAC and an epoch.

For example, if the server is overloaded, it can choose to send back an epoch, which is just a number that changes once a minute.  (It could be the current time, or a random number.)  The client must resend its handshake, or a new one, with the epoch and a MAC on the whole thing with whatever quasi-secret key you’re using.

If the server isn’t overloaded, it can simply accept all handshakes even without the epoch.  Or all connections could contain an epoch, but the server would only care if it’s under load.  It could even set the window based on load.  For example, it could store the last hundred thousand successful handshakes, and the client’s time must be within the window so that the server can verify uniqueness.

Cheers,
— Mike

> On Nov 19, 2015, at 5:13 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> 
> On Thu, Nov 19, 2015 at 12:54 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>> Even at 20k/second, each message of NoiseIK has 2 ECDH operations. So,
>> 10k/second:
>> 
>> 10000 handshakes/second * 96 bytes / 131072 bytes/megabit = 7.3
>> megabits per second
>> 
>> That seems like a big big big problem
> 
> And even the argument of "well, that's a lot of packets per second,
> even if they're small..." This sub-$100 router [1] forwards 1 million
> packets per second, and this is just some commodity device. Real
> networks have far more throughput.
> 
> [1] https://www.ubnt.com/edgemax/edgerouter-lite/
> _______________________________________________
> Noise mailing list
> Noise at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/noise



More information about the Noise mailing list