<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Jul 16, 2015 at 1:42 PM, Jason A. Donenfeld <span dir="ltr"><<a href="mailto:Jason@zx2c4.com" target="_blank" onclick="window.open('https://mail.google.com/mail/?view=cm&tf=1&to=Jason@zx2c4.com&cc=&bcc=&su=&body=','_blank');return false;">Jason@zx2c4.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I can send around 10 gigabits of data per second of illegitimate<br>
post-handshake data messages, before the CPU is maxed out. That's<br>
good.<br>
But, I can only send around 70 megabits per second of handshake<br>
messages, before the CPU is maxed out. Bad news bears.</blockquote><div><br></div><div>For what it's worth, TLS completely punts on this problem. It's known among other things as the "THC attack", and since it can be used against RSA it's considerably worse:</div><div><br></div><div><a href="https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks">https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks</a></div><div><br></div><div>There have been attempts at solving this ("client puzzles") but I can't say I'm really a fan.</div><div><br></div><div>70 Mbps of handshake messages (per node) seems good to me?</div></div><div><br></div>-- <br><div class="gmail_signature">Tony Arcieri<br></div>
</div></div>