9

Page 183 of Secrets & Lies on countering denial-of-service attacks:

Some researchers have proposed defenses that force the client to perform an expensive calculation to make a connection. The idea is that if the client has to spend computation time to make a connection, then it can't flood the target with as many connections.

Forcing the client to perform a calculation before connection seems like a pretty good way to fight DOS, but are there some examples of this method used in practice?

Specifically, how can I use this idea to protect my HTTP server from DOS attacks?

Pacerier
  • 3,253
  • 6
  • 34
  • 61

1 Answers1

8

I think this idea basically describes the proof-of-work concept as it is used in anti-spam setups or more popularly Bitcoin.

Proof-of-work is used to make the requester/sender perform a small computation to show it's authenticity, following the idea that spammers (including non mail related spam) will avoid such systems because it would cost them too much CPU power to send their spam.

I don't know of any implementation in "regular" http traffic though but it seems they definitely exist:

Their implementation: common DoS attacks are based on the TCP protocol (the basis for HTTP traffic). The attacks abuse the three way handshake by sending SYN requests to the server without answering the SYN-ACK signals the server sends back. As is the main idea of a DoS attack, the server can only have so many outstanding requests and stops sending them to legitimate senders of SYN signals at some point therefore appearing offline. By adding an extra layer in the three way hand shake via POW the TCP DoS is avoided because the additional computations required disrupt the intended DoS flow of requests. As only legitimate requests reach the server HTTP traffic can flow freely and because the extra computations required by the POW take only 0,2-0,3 seconds no real delay is experienced by the user.

Also, this question might hold some relevant info

Community
  • 1
user3244085
  • 1,173
  • 6
  • 13