Thursday, July 28, 2005

Simple Little Delay-Line Hack...

People have proposed requiring the client system to do work as a way of limiting/mitigating DOS attacks, and others have countered that it isn't fair to small devices (eg, phones) as there may be 1-3 orders of magnitude difference in computing power between clients. Thus a followon proposal is many schemes which just force a client to WAIT when the server is under load. I've heard of some rather complicated schemes to do so.

There is a VERY easy way to do this, however:

The server, on startup, creates a random key.

When it gets a request from a client, and it wants the client to wait, it sends back a message saying "Wait x seconds + resend with this cookie". The cookie being E(K, time its allowed, IP). Now the client waits and resends the request with the cookie.

Voila, the clients wait for the specificed time, without the server having to store any per-client state or worry about any delay queue being filled. It requires only ONE encryption operation to create and one to verify, which on a modern CPU is only about a few hundred clock cycles.

So if your DOS-mitigation technique involves having new clients wait, this is all you need.

Wednesday, July 13, 2005

Passive Resistance to Stupid Security

I have a great dislike for stupid security. Airline security in particular ticks me off. It's stupid. ID checks, pointless inspections of shoes, a complete ban on such deadly items as a pair of pliers...

At the same time, they don't screen the ground crews and maintenance staff, who can (and HAVE) smuggled a gun aboard the plane, shot the air crew, and caused a fatal crash killing everyone aboard. And if you print your ticket at home, you can easily eliminate the "flag me" text if you got unlucky and it says 'screen this person'. Or heck, change your name.

So I've been engaging in a minor campaign of passive resistance.

I have my driver's liscence or passport when I travel. But I don't show that anymore. Instead, I use my Lawrence Berkeley Lab ID card. It even says "Guest" on it in my job function. It IS official, issued by a US government lab. It even says so on the back, "Property of the US Government" etc etc etc. And it has a nice Department of Energy logo in the corner.

But the key is that it looks official. Airline desks, airport security, etc. I've used it at least a dozen times now, and I've only been challanged on it once. I would have fought the challenge (it IS a government issued ID), but it was a tight connection so I didn't want to play my normal games.

Now all I need to do is make up something that just LOOKS official. It just needs to have my picture, a good logo, and be printed on thick plastic. I'm thinking "Department of Bonehead Security", with an eagle bonking itself on the head to create the stars around it. Anyone challanges it, yeah, I'd whip out the driver's liscence. But until then, I'll have the nice plastic card.

Likewise, I hate taking off my shoes. I wear shoes with no metal. If the TIA guy says "I recommend you take off the shoes", I ask if I HAVE to. Sometimes the response is "if the metal detector goes off, you will get secondary screening". Fair enough: far too many shoes have metal shanks, and getting those people to take their shoes off removes a huge host of pointless false-positives. Sometimes its "We'll screen you, period". If anything, saying my low-cut hiking shoes are "too chunky". But the screeners have even objected to Tivas, so its obviously whatever the particular guy feels that day.

The other half of the time, no buzz, but secondary screening anyway. And you learn alot. Both times, they did NOT X-ray my shoes. Neither time did the TIA guy at the secondary screening know WHY I was screened. One time they wanded my wallet, the other time I simply held it out and it NEVER got wanded. The walkthrough detectors aren't sensitive enough to detect my cardkeys, but the wands are.

Both times, the TIA agent ordering the screening wasn't interested in security. If they were, they would tell the other agent why I was being screened instead of just sending me over to wait in another spot for the dude with the want. Rather, secondary screening is a punishment for questioning stupid rules. But hey, if I'm not in a hurry, its wasting their time, not mine.

All in all, airline security is a general exercise in silly security theater. But at least you can have fun with it.