On Nov 26, 2004, at 9:45 AM, James Couzens wrote:
On Fri, 2004-11-26 at 13:54 +0000, David Woodhouse wrote:
On Fri, 2004-11-26 at 05:47 -0800, James Couzens wrote:
With all due respect, please, THINK BIGGER. How about AOL. Just
how is
AOL with 90M mailboxes going to deal with my 1,000 node drone army
that
is spewing forth 100,000 fake signed messages laden with random data
going to do?
As an "attacker" I can randomly generate and sign a massive volume of
messages destined to the victim, who falls victim to the burden of
not
only having to perform public key cryptography, he also can't do
anything until paying I/O costs as well since the DK key is signed in
2822 they have to wait for DATA to finish and then they have to parse
the data to look for the signature that I signed which cost me
nothing
because I just generated gibberish looking valid.
None of the big providers care about bandwidth - it's no longer a
primary cost; besides as David noted, bandwidth is of identical concern
with a traditional DDOS. As far as the processing, I can validate a
couple hundred messages per second on a single <$1000 box, so the
computational cost isn't high either.
Move along, nothing to see here.
George