DDoS prevention

[kousu]

It occurs to me that all your DDoS concerns that are creeping into the protocol are the same as email has been dealing with for years. In email, there are two main ways:

1. a trusted third party: SPF puts into DNS records that say "mail from domain example.com is allowed to be sent by [ip1, ip2, ip3, ...]"
2. signing: DKIM puts into DNS a public key, and a header is stuffed into email containing a signature on various pieces of the headers and content

(http://www.openspf.org/Related_Solutions)

For webmentions, you could spec that:

1. the receiver asks if sender has allowed the sender IP, either through DNS (which means TXT records because A records are unreliable as a listing of every IP) or through https://sender.com/webmention.txt 2, sender makes a keypair and signs the notification with it. The public key can again either be put into DNS, or at https://sender.com/webmention.gpg (notice that https:// is used there: TLS authenticates sender.com and therefore receiver knows these values are trustworthy and they're not being MITM'd)

[aaronpk]

I think these are interesting suggestions for some ways to counter webmention spam. Right now we have one suggested anti-spam addition to the protocol, Vouch. Rather than put it into the core spec initially, it's an extension, so that we can try out implementations of it to get a sense of how feasible it is. I would love to see either SPF or DKIM adapted to handle webmentions and written up as an extension! Would you be up for that?

[aaronpk]

I just double checked, and the spec actually doesn't mention anything about DDoS attacks at all. The spec is specifically pointing out preventing DoS attacks against the endpoint itself.

For example, "Upon receipt of a POST request containing the source and target parameters, the receiver should queue and process the request asynchronously to prevent DoS attacks." is there so that a webmention endpoint isn't required to hold the HTTP connection open while verifying the webmention, since it would be trivial to quickly overload the number of open HTTP connections the endpoint can maintain.

That's really the only mention of a DoS attack as well.

[kousu]

You're right. I read the spec as "DDoS". I often conflate DDoS and DoS, because if you can't handle DoS then you definitely can't handle DDoS, and if you can handle DDoS then you might be able to handle DoS. :whale:

I am not ready to write a spec on this. I just noticed that there was prior work that was available for exploitation and I wanted it recorded. I'm a n00b at SPF and DKIM, and I am not even running webmentions myself yet, so I am not the person to experiment with this right now.

[aaronpk]

Closing this particular issue for previously stated reasons, but would be happy to see more DDoS-prevention techniques proposed as extensions.