[stunnel-users] stunnel throttling and statistics

[Michal Trojnara]

Laurens Van Houtven wrote:
> In order to sort-of fix this problem, I'm using UUIDs so that the
> keyspace is so absurdly huge that the odds that someone will guess a
> key are second to none. Still, if someone is misbehaving (trying a
> large number of bogus keys) it would be nice to know who it is so I
> could stop wasting CPU time and bandwidth on them.

IMHO it should be possible to check between 2^10 and 2^14 keys per second
with this attack.  To succeed the attacker would need (on average)
2^128 / 2^14 / 2 = 2^113 seconds
Since the universe is only 1.5 * 2^58 seconds old this approach is not
really practical (as you noticed).  IMHO it's better to implement some
generic DoS countermeasures rather than protect against this specific
attack.

Best regards,
    Mike