[noise] My compromise for dealing with DoS

Jason A. Donenfeld Jason at zx2c4.com
Sat Jan 9 11:45:52 PST 2016


Hi Tony,

This is, in fact, exactly what I'm doing. Once I do the cookie exchange, I
rate limit based on IP using the normal token bucket networking stuff.

The issue is that, like DTLS and IKE, I'm using UDP, so IPs can be spoofed.
The goal of this is to prevent IP spoofing in a way superior to TCP/SCTP
and DTLS/IKE. Then, once I've attributed an IP address, I do the rate
limiting.

Jason
On Jan 9, 2016 8:38 PM, "Tony Arcieri" <bascule at gmail.com> wrote:

> On Sat, Jan 9, 2016 at 11:34 AM, Tony Arcieri <bascule at gmail.com> wrote:
>
>> There's something a lot simpler you can do though... you can detect the
>> attack, and rate limit your responses by IP address.
>>
>
> That is to say:
>
> We have an attack detector. It sees a flood coming from IP address X.
>
> We now flip on a rate limiter for IP address X. We pick a limit... say N
> requests per second, and if IP address X sends more than N requests per
> second, we simply drop them.
>
> --
> Tony Arcieri
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160109/84516297/attachment.html>


More information about the Noise mailing list