From: Marc.Ringuette@GS80.SP.CS.CMU.EDU
To: cypherpunks@toad.com
Message Hash: 9a2c0137118e36d13235fbce57ee489216070290746144bd2c3c75c2bd621759
Message ID: <9302242031.AA10553@toad.com>
Reply To: N/A
UTC Datetime: 1993-02-24 20:31:26 UTC
Raw Date: Wed, 24 Feb 93 12:31:26 PST
From: Marc.Ringuette@GS80.SP.CS.CMU.EDU
Date: Wed, 24 Feb 93 12:31:26 PST
To: cypherpunks@toad.com
Subject: Anonymous flooding
Message-ID: <9302242031.AA10553@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
I wonder if full crypto anonymity as we envision it will be stable?
I'm very concerned about the problem of anonymous users intentionally
flooding the network with garbage in order to bring it to its knees.
Current practice, in the non-anonymous world, is to trace excess
traffic to its source and stop it from being generated. This will no
longer be possible when true anonymity is available.
This would particularly be a problem if a remailer is willing to forward
an incoming message to more than one destination. In that case, by sending a
single anonymous message, a saboteur could generate an exponential amount
of net traffic. This would be bad.
Two basic precautions for a remailer to take are
1. To require a 1-1 correspondence between input and output messages.
2. To require that the address portion of the message shrink at each step
(preventing infinite loops).
If this is done, then the saboteur's original message can be at most
n-fold replicated, where n is the maximum number of remailer hops
allowed.
However, I still have some fundamental concerns that an anonymity-based
system is vulnerable to flooding and denial of service by the bad guys,
including Big Brother, who may wish to prevent effective use of such
systems. This may make operating a remailer a difficult proposition.
I'm discouraged. Any thoughts?
-- Marc Ringuette (mnr@cs.cmu.edu)
Return to February 1993
Return to “uri@watson.ibm.com”