Hi,
> > I have just produced a patch against the upstream HEAD version, to
> > seek a way to fight against DoS attack in openssl itself,
> > the logic is simple, get client's ip address in BIO layer,
> > and send this info to upper SSL layer; In SSL layer,
> > according to the client ip and control policy to do control.
My memory of the technical details is a bit vague, so sorry iff this is
a
stupid question, but anyway:
Can this really help? I.e. isn't it very easy to put wrong IP adresses
into the
packet you send to a server? So you can just flood the server with
requests
that all _seem_ to origin from different clients?
After all, as an attacker you don't really care about getting the answer
pakets, or do you?
So your solution slows down the server side even more (even if just by
a factor of 1.01 or smaller) while only helping against attackers which
don't know about that trick, yet.
Regards,
Stefan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
