Laurens Van Houtven wrote:
In order to sort-of fix this problem, I'm using UUIDs so that the keyspace is so absurdly huge that the odds that someone will guess a key are second to none. Still, if someone is misbehaving (trying a large number of bogus keys) it would be nice to know who it is so I could stop wasting CPU time and bandwidth on them.
IMHO it should be possible to check between 2^10 and 2^14 keys per second with this attack. To succeed the attacker would need (on average) 2^128 / 2^14 / 2 = 2^113 seconds Since the universe is only 1.5 * 2^58 seconds old this approach is not really practical (as you noticed). IMHO it's better to implement some generic DoS countermeasures rather than protect against this specific attack.
Best regards, Mike