Author: Mike Hearn 2014-08-23 13:03:05
Published on: 2014-08-23T13:03:05+00:00
The use of proofs of work (PoW) as a defense against denial-of-service (DoS) attacks has been recognized since the days of "hashcash" before cryptocurrencies were even invented. While some sites have used PoW to block IPs they suspect are bots, the hard part is scoring the connections, and bots often have more patience than humans. Other sites use human PoWs in the form of CAPTCHAs, but those don't work well either. The proposal to have only misbehaving clients do complicated work would require scoring clients, which is difficult, and prioritizing clients is the better approach. The current notion of misbehavior is limited and can be tricky to get right, and forcing users to wait for requests wastes battery power and is not ideal. The use of cookies to link connections and deanonymize users is not a significant concern because any DoS attack that uses most of the network's resources is likely driven by a botnet. Cookies can be somewhat anonymized using a signature over a timestamp that is normalized to the day or week, but attackers can age accounts before preparing for abuse. Proof of UTXO is another way to rank users, but this leads back to a CPU imbalance, and a small PoW cost could even it out without users noticing.
Updated on: 2023-06-09T02:25:49.105336+00:00