On 2008-8-19, at 17:20, ext David Barrett wrote: > On Tue, 19 Aug 2008 4:19 pm, Lars Eggert wrote: >> Actually, in 1994, the IETF standardized Transactional TCP (T/TCP) in >> RFC1644, which allows just that. However, there are serious DDoS >> issues with T/TCP which have prevented it seeing significant >> deployment. > > Hm, I'm sorry I don't know the history there -- why is this more > costly > or abusive than SSL over standard TCP? Is it due to something > specific > to SSL, or due to it a simple lack of congestion control on those > first > payloads?
The issue is unrelated to a specific kind of SYN payload (SSL or otherwise.) The issue is that a SYN flood of SYNs with data consumes much more memory on the receiver than a regular SYN flood, because the receiver is obligated to cache the data if a T/TCP liveness check fails. You can't use SYN cookies with data SYNs, either. IMO it's a non-starter if an approach for widescale opportunistic encryption would make hosts more vulnerable to DDoS attacks. Lars _______________________________________________ p2p-hackers mailing list [email protected] http://lists.zooko.com/mailman/listinfo/p2p-hackers
