[stunnel-users] stunnel throttling and statistics

Michal Trojnara Michal.Trojnara at mobi-com.net
Fri Jul 10 13:20:08 CEST 2009


Laurens Van Houtven wrote:
> In order to sort-of fix this problem, I'm using UUIDs so that the
> keyspace is so absurdly huge that the odds that someone will guess a
> key are second to none. Still, if someone is misbehaving (trying a
> large number of bogus keys) it would be nice to know who it is so I
> could stop wasting CPU time and bandwidth on them.

IMHO it should be possible to check between 2^10 and 2^14 keys per second
with this attack.  To succeed the attacker would need (on average)
2^128 / 2^14 / 2 = 2^113 seconds
Since the universe is only 1.5 * 2^58 seconds old this approach is not
really practical (as you noticed).  IMHO it's better to implement some
generic DoS countermeasures rather than protect against this specific
attack.

Best regards,
    Mike



More information about the stunnel-users mailing list