Re: Searching for a special challenge&response algorithm

Jan Peter Stotz wrote:
Hi,

I am searching for a special challenge & response algorithm which allows to
prevent (or better slow down) denial of service attacks. Until now I did
not succeed in finding a suitable algorithm, but may be I only used the
wrong keywords.

The general idea is as follows:
When a client connects to a server it has to authenticate itself against
the server. For preventing brute force attacks against this authentication
(systematic testing) with one client the server creates a challenge which
has to be solved by the client. For solving the challenge the client needs
a bit of CPU power which results in a delay of about a second. The server
only allows an authentication by the client after successfully solving the
challenge. So i am searching for an algorithm which can be used in such an situation.
An additional demand to such an algorithm is that creating the challenge
and testing the client answer on server-side, if it is solved correctly
should be possible with as less as possible resources.

Does anybody know such an algorithm?

What's the DoS you're referring to?? 1 million clients requesting that
they want to be authenticated? Clients receiving the challenge and then
not responding so that the server runs out of resources because it has
to store the challenges?

I don't think any DoS attack is solved with a different C-R protocol;
it's the implementation, if anything. Have the server limit the amount
of requests that it can accept. Specify a sensible timeout for the
clients to respond. Put timestamps to the challenges, and if the
server runs out of capacity for new requests, start discarding the
oldest unresponded challenges, etc. Maybe set up some "reserved seats"
for privileged connections (e.g., from some IPs), so that you never
deny service to those, no matter how many other connections are being
handled.

Other than that, the protocol could be simple -- issue the challenge
from a high-quality, cryptographic random source (if on Linux/Unix
systems, try /dev/urandom) and store a timestamp and an IP address
associated with that challenge; then, have the client compute the
SHA-256 of their password with the challenge concatenated). The
challenge could be 128 bits (16 bytes read from /dev/urandom) --
that should be plenty enough.

HTH,

Carlos
--
.

Relevant Pages

  • Re: Client DDoS requests, ideas?
    ... This wasn't a question specific to any client. ... protocol & app attacks either weren't effective or the ... We're talking straight pipe vs. pipe DoS options. ... A mail server that uses spf could be attacked by creating HUGE spf ...
    (Pen-Test)
  • Re: Rogue dings 70 and does BGs
    ... I'm sure that I've seen some attacks ... Sometimes you have to actually be *in* the mob to be close enough to ... impossible once they actually get to the server. ... Half a second for the action to reach your client then another ...
    (alt.games.warcraft)
  • Re: WSE3003 Error - encryption algorithm differs on client and server
    ... In order to change the default algorithm, you need to add the following ... When my client is windows xp and server is the same, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Searching for a special challenge&response algorithm
    ... prevent denial of service attacks. ... When a client connects to a server it has to authenticate itself against ... So i am searching for an algorithm which can be used in such an situation. ...
    (sci.crypt)
  • Re: default SecurityTokenManager bug?
    ... X509 Token Manger default session ... Algorithm was default value. ... At server side, you should put the code at Global.asax ... > i put this code in both the client and server of the ResponseEncryptCode ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
Loading