Hacker News new | past | comments | ask | show | jobs | submit login
D(HE)at: A Practical DoS Attack on the Finite Field Diffie–Hellman Key Exchange (ieee.org)
37 points by c0r0n3r 6 months ago | hide | past | favorite | 13 comments



This specifically (CPU exhaustion attack) is called out as a rationale for why Wireguard implements cookie reply packets[1]. If a verified source is DOSing you with bad handshakes, maybe its time for their IP to be put in timeout in an upstream routing table.

[1] https://www.wireguard.com/protocol/#dos-mitigation


Seems pretty boring. It's an unbalanced computation issue: the server sends B=g^b to the client, expecting the client to generate and send A=g^a. Instead, the client sends a random A, "proving no work" so to speak. Repeat. I think that's the whole attack?


This reads like a "I got funding but my original research didn't pan out and I need to publish something."


The linked article really beats around the bush before describing the attack. This link is a bit better: https://dheatattack.gitlab.io/dheater/ It honestly doesn't seem that impactful to me.


Discussing cryptographic solutions to denial of service attacks always seem a tad disingenuous. In the MITM model, the attacker is in full control of the communications channel, and can always replace, corrupt or deny packets to either recipient. No amount/quality/degree of cryptography can change this possibility.


You’re misunderstanding the DOS attack I think. This is a DOS on the server itself and can prevent all other clients from connecting or the server from doing any useful work as its time is spent computing keys instead of anything useful. It doesn’t require any MITM proxy to be installed. Basically imagine a client could connect to a random Google server and take it down.


Yes but this is nothing to do with cryptography per se. Most servers can be taken down by a client that finds some expensive operation it can get executed, then sends a bunch of same. The solution implies a generic per-client or per-request resource limit mechanism (which in my experience some systems have, but most do not). This is probably the only good thing about "serverless"/lambda type solutions.


Sure, but an expensive operation sitting as a time bomb within some TLS configs is more easily exploitable than having to find some service specific exploit.


Will Google even do a straight FFDH TLS handshake? I tried with s_client and couldn't find a cipher string that would work (starting by taking the default and just chopping all the non-DH strings out).



This attack doesn't require MitM, though.


Yes, because Alice herself is malicious.


That would be misleading naming.

If Alice is talking to Bob, the attacker in this scenario is a third entity, let's say Claire, who shouts math problems at Bob until he is sufficiently distracted that he can no longer continue his legitimate conversation(s) with Alice.

- as opposed to a regular bandwidth-based DoS where Claire just shouts random words at Bob. Bob's vulnerability here is that he is more easily distracted by certain math problems.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: