[noise] DoS *is* a problem
Jason A. Donenfeld
Jason at zx2c4.com
Thu Nov 19 03:54:09 PST 2015
On Thu, Nov 19, 2015 at 7:40 AM, Trevor Perrin <trevp at trevp.net> wrote:
> On Wed, Nov 18, 2015 at 7:20 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>> Welp, I've implemented some hash token bucket situation, which is a
>> decent practical solution.
I take that back. My token bucket is totally worthless, since my
protocol runs over UDP, where source IPs can be spoofed anyway.
>
> Also, you're probably worrying too much about computational DoS based
> on a single ECDH. Modern server-class CPUs can do ~20K variable-base
> 25519 ops per second per core.
Even at 20k/second, each message of NoiseIK has 2 ECDH operations. So,
10k/second:
10000 handshakes/second * 96 bytes / 131072 bytes/megabit = 7.3
megabits per second
That seems like a big big big problem.
More information about the Noise
mailing list