Author: David A. Harding 2019-07-08 09:20:47
Published on: 2019-07-08T09:20:47+00:00
In a discussion on the Lightning-dev mailing list, ZmnSCPxj raised concerns that a client could potentially carry out a denial-of-service (DoS) attack on a server by repeatedly requesting data without paying. This would convince the server to encrypt and send data immediately, wasting resources such as CPU and bandwidth. The problem is not limited to Lightning Network and can occur in web apps for sites available over HTTPS too. In such cases, the client can repeatedly request the order form page to waste server CPU and bandwidth or use other clever ways to abuse TLS. One possible solution proposed was to have the server encrypt immediately before putting data in the TCP queue so that it only wasted CPU encrypting a few more blocks than were delivered if the socket blocked due to the client not downloading.
Updated on: 2023-06-02T19:06:08.604564+00:00