Yoav Nir <[email protected]> wrote: >> Graham Bartlett (grbartle) <[email protected]> wrote: >>> Now the only issue I can see is alluded to in the draft, where a VPN >>> headend is serving clients with varying resource. So say a botnet >>> attacks this headend and the puzzle is enabled, you have some clients >>> with a lot of resource (that require a hard puzzle) and some mobile >>> devices with minimal (that require an easier puzzle). How do you >>> identify each? The only way I can think is you must do this once the >>> device has authenticated itself - else how do you know who they are? >> >> I have two observations here. >> >> The first is that while the botnet can pull in potentially hundreds of >> teraflops of computation in order to solve a harder puzzle, it has >> communication overhead in order to do that; >> >> The second observation is that the puzzle has to be trivially >> parallelizable in order for the botnet (or even the multi-core mobile >> phone!) to do better than a single CPU.
> I don’t think this is the best strategy for the botnet. Rather than
> pool all their resources to solve a single puzzle (bitcoin-style),
> wouldn’t it be better for each node to act like a legitimate client and
> solve its own puzzle in however long it takes?
I agree that this might be a better strategy for the botnet, and I think
that we can more easily defend against.
So the goal here is to make sure that we select puzzles which drive the
botnet towards this.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
pgplsPnw9Tg_7.pgp
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
