[noise] My compromise for dealing with DoS

Tony Arcieri bascule at gmail.com
Sat Jan 9 11:34:58 PST 2016

On Sat, Jan 9, 2016 at 9:55 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:

> As we know, computing DH is CPU intensive. In order to fend off a
> CPU-exhaustion attack, if the server is under load, it may choose to
> not process handshake messages, but instead respond with a cookie
> reply packet.

There's something a lot simpler you can do though... you can detect the
attack, and rate limit your responses by IP address.

That clearly doesn't work in a DDoS scenario, but if you're getting DDoSed,
you'll probably want to be running your traffic through someone like
Prolexic anyway who will do more advanced traffic filtering.

Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160109/ef80f241/attachment.html>

More information about the Noise mailing list