Yoav Nir <ynir.i...@gmail.com> wrote:
>> Graham Bartlett (grbartle) <grbar...@cisco.com> wrote:
>>> Now the only issue I can see is alluded to in the draft, where a VPN
>>> headend is serving clients with varying resource. So say a botnet
>>> attacks this headend and the puzzle is enabled, you have some clients
>>> with a lot of resource (that require a hard puzzle) and some mobile
>>> devices with minimal (that require an easier puzzle). How do you
>>> identify each? The only way I can think is you must do this once the
>>> device has authenticated itself - else how do you know who they are?
>>
>> I have two observations here.
>>
>> The first is that while the botnet can pull in potentially hundreds of
>> teraflops of computation in order to solve a harder puzzle, it has
>> communication overhead in order to do that;
>>
>> The second observation is that the puzzle has to be trivially
>> parallelizable in order for the botnet (or even the multi-core mobile
>> phone!) to do better than a single CPU.
> I don’t think this is the best strategy for the botnet. Rather than
> pool all their resources to solve a single puzzle (bitcoin-style),
> wouldn’t it be better for each node to act like a legitimate client and
> solve its own puzzle in however long it takes?
I agree that this might be a better strategy for the botnet, and I think
that we can more easily defend against.
So the goal here is to make sure that we select puzzles which drive the
botnet towards this.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
pgplsPnw9Tg_7.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
