A DoS would not pitch one client against one server. A distributed attack using several clients could overcome any single server advantage. A scalable strategy would be a queue system for distributing load to a pool of servers and a rating system for early rejection of repeated bad queries from a source. The rating system would reset the source rating after a pre-defined time, much like anti-congestion mechanisms on the Net. Fast rejection of bogus signatures would help, but not alone.
Cheers, Ed Gerck Bill Frantz wrote: > I have been thinking about how to limit denial of service attacks on a > server which will have to verify signatures on certain transactions. It > seems that an attacker can just send random (or even not so random) data > for the signature and force the server to perform extensive processing just > to reject the transaction. > > If there is a digital signature algorithm which has the property that most > invalid signatures can be detected with a small amount of processing, then > I can force the attacker to start expending his CPU to present signatures > which will cause my server to expend it's CPU. This might result in a > better balance between the resources needed by the attacker and those > needed by the server. > > Cheers - Bill > > ------------------------------------------------------------------------- > Bill Frantz | The principal effect of| Periwinkle -- Consulting > (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. > [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
