Skip to main content
SpringerLink
Log in

A multi-layer framework for puzzle-based denial-of-service defense

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Client puzzles have been advocated as a promising countermeasure to denial-of-service (DoS) attacks in recent years. However, how to operationalize this idea in network protocol stacks still has not been sufficiently studied. In this paper, we describe our research on a multi-layer puzzle-based DoS defense architecture, which embeds puzzle techniques into both end-to-end and IP-layer services. Specifically, our research results in two new puzzle techniques: puzzle auctions for end-to-end protection and congestion puzzles for IP-layer protection. We present the designs of these approaches and evaluations of their efficacy. We demonstrate that our techniques effectively mitigate DoS threats to IP, TCP and application protocols; maintain full interoperability with legacy systems; and support incremental deployment. We also provide a game theoretic analysis that sheds light on the potential to use client puzzles for incentive engineering: the costs of solving puzzles on an attackers’ behalf could motivate computer owners to more aggressively cleanse their computers of malware, in turn hindering the attacker from capturing a large number of computers with which it can launch DoS attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. The network simulator - ns-2. http://www.isi.edu/nsnam/ns/

  2. Overview of cisco 7500 series router. http://www.cisco.com/ en/US/products/hw/routers/ps359/prod_brochure09186a00800 9200c.html

  3. Abadi, M., Burrow, M., Manasse, M., Wobber, T.: Moderately hard, memory-bound functions. In: Proceedings of the 10th Annual Network and Distributed System Security Symposium (2003)

  4. Adkins, D., Lakshminarayanan, K., Perrig, A., Stoica, I.: Taming ip packet flooding attacks. In: Proceedings of Workshop on Hot Topics in Networks (HotNets-II). November (2003)

  5. Adler, M.: Tradeoffs in probabilistic packet marking for IP traceback. In: Proceedings of 34th ACM Symposium on Theory of Computing (STOC-02) (2002)

  6. Andersen, D.: Mayday: Distributed filtering for internet services. In: Proceeding of USITS (2003)

  7. Anderson, T., Roscoe, T., Wetherall, D.: Preventing internet denial-of-service with capabilities. In: Proceedings of Workshop on Hot Topics in Networks (HotNets-II), November 2003

  8. Argyraki, K., Cheriton, D.R.: Network capabilities: The good, the bad and the ugly. In: Proceedings of the 4th Workshop on Hot Topics in Networks, November 2005

  9. Aura, T., Nikander, P., Leiwo, J.: Dos-resistant authentication with client puzzles. In: Proceedings of the Cambridge Security Protocols Worshop 2000. LNCS. Springer, Heidelberg (2000)

  10. Internet Assigned Numbers Authority. ICMP type numbers. November, 2003. http://www.iana.org/assignments/icmp-parameters

  11. Bellare, M., Rogaway, P.: Random oracle are practical: a paradigm for designing efficient protocols. In: Proceedings of First ACM Annual Conference on Computer and Communication Security (1993)

  12. Bellovin, S.: Defending against sequence number attacks. In: RFC 1948, May 1996

  13. Bellovin, S., Leech, M., Taylor, T.: The ICMP traceback messages. In: Internet-Draft, draft-ietf-itrace-01.txt, December 1999. ftp://ftp.ietf.org/internet-drafts/draft-ietf-itrace-01.txt

  14. Bloom B.H. (1970). Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7): 422–426

    Article  MATH  Google Scholar 

  15. Boneh, D., Naor, M.: Timed commitments (extended abstract). In: Proceedings of Advances in Cryptology—CRYPTO’00. Lecture Notes in Computer Science, vol. 1880, pp. 236–254. Springer, Heidelberg (2000)

  16. Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proceedings of the 14th USENIX System Administration Conference, December 1999

  17. Caida. Skitter. 2003. http://www.caida.org/tools/measurement/

  18. CERT. Computer emergency response team, cert advisory ca-2001-01: Denial-of-service developments. 2000. http://staff.washington.edu/dittrich/misc/ddos

  19. CERT. Advisory CA-96.21: TCP SYN flooding and IP spoofing attacks. 24 September 1996

  20. Crosby, S.A., Dan, S.: Wallach. Denial of service via algorithmic complexity attacks. USENIX Security (2003)

  21. Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. In: Proceedings of Network and Distributed System Security Symposium (NDSS-01), February 2001

  22. Dean, D., Stubblefield, A.: Using client puzzles to protect tls. In: Proceedings of 10th Annual USENIX Security Symposium (2001)

  23. Theodore Diament, Homin K. Lee, Angelos D. Keromytis, and Moti Yung. The dual receiver cryptosystem and its applications. In: Proceedings of the 11th ACM conference on Computer and communications security. ACM Press, New York (2004)

  24. Dietrich, S., Long, N., Dittrich, D.: Analyzing distributed denial of service attack tools: The shaft case. In: Proceedings of 14th Systems Administration Conference, LISA 2000 (2000)

  25. Dittrich, D.: Distributed denial of service (ddos) attacks/tools resource page (2000) http://staff.washington.edu/dittrich/misc/ddos

  26. Dwork, C., Naor, M.: Pricing via processing or combating junk mail. In: Brickell, E. (ed.) Proceedings of ADVANCES IN CRYPTOLOGY—CRYPTO 92. Lecture Notes in Computer Science, vol. 1328, pp. 139–147. Springer, Heidelberg (1992)

  27. Feng, W.: The case for TCP/IP puzzles. In: Proceedings of ACM SIGCOMM Future Directions in Network Architecture (FDNA-03) (2003)

  28. Feng, W., Kaiser, E., Luu, A.: Design and implementation of network puzzles. In: Proceedings of IEEE INFOCOM (2005)

  29. Ferguson, P., Senie, D.: RFC 2267: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing, January 1998. ftp://ftp.internic.net/rfc/rfc2267.txt, ftp://ftp.math.utah.edu/pub/rfc/rfc2267.txt

  30. Franklin, M.K., Malkhi, D.: Auditable metering with lightweight security. In: Hirschfeld, R. (ed.) Proceedings of Financial Cryptography 97 (FC 97). Lecture Notes in Computer Science. Springer, Heidelberg (1997)

  31. Garay, J.A., Jakobsson, M.: Timed release of standard digital signatures. In: Proceedings of Financial Cryptography (2002)

  32. Geng X. and Whinston A. (2000). Defeating distributed denial of service attacks. IEEE IT Profes. 2(4): 36–41

    Article  Google Scholar 

  33. Gligor, V.G.: Guaranteeing access in spite of service-flooding attack. In: Hirschfeld, R. (ed.) Proceedings of the Security Protocols Workshop. Lecture Notes in Computer Science. Springer, Heidelberg (2004)

  34. Goldschlag, D.M., Stubblebine, S.G.: Publically verifiable lotteries: Applications of delaying functions (extend abstract). In: Proceedings of Financial Cryptography (1998)

  35. Houle, K., Weaver, G., Long, N., Thomas, R.: Trends in denial of service attack technology. October 2001. http://www.cert.org/archive/pdf/DoS_trends.pdf

  36. Ioannidis, J., Bellovin, S.: Implementing pushback: Router-based defense against ddos attacks. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS-02) (2002)

  37. Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed traffic. In: Proceedings of ACM CCS (2003)

  38. Juels, A., Brainard, J.: Client puzzle: a cryptographic defense against connection depletion attacks. In: Kent, S. (ed.) Proceedings of NDSS’99, pp. 151–165 (1999)

  39. Keromytis, A., Misra, V., Rubenstein, D.: SOS: Secure overlay services. In: Proceedings of ACM SIGCOMM, August (2002)

  40. Lemmon, J.: Resisting syn flood dos attacks with a syn cache. In: Leffler, S.J. (ed.) Proceedings of BSDCon 2002. USENIX, 2002, February 11–14

  41. Li, J., Mirkovic, J., Wang, M.: Save: Source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM (2002)

  42. Mahajan R., Bellovin S., Floyd S., Ioannidis J., Paxson V. and Shenker S. (2002). Controlling high bandwidth aggregates in the network. CCR 32(3): 62–73

    Google Scholar 

  43. Meadows and C. (2001). A cost-based framework for analysis of denial of service networks. J. Comput. Secur. 9: 143–164

    Google Scholar 

  44. Merkle R.C. (1978). Secure communications over insecure channels. Commun. ACM 21: 294–299

    Article  Google Scholar 

  45. Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using graphic turing tests to counter automated ddos attacks against web servers. In: Proceedings of ACM CCS (2003)

  46. Postel, J.: RFC 792: Internet Control Message Protocol, September 1981. ftp://ftp.internic.net/rfc/rfc792.txt

  47. Qie, X., Pang, R., Peterson, L.: Defensive programming: Using an annotation toolkit to build dos-resistant software. In: Proceedings of the 5th OSDI Symposium, December 2002

  48. Rivest, R.L., Shamir, A., Wagner, D.: Time-lock puzzles and timed-release crypto. Manuscript, 10 March 1996

  49. Sanchez, L., Milliken, W.C., Snoeren, A., Tchakountio, F., Jones, C., Kent, S., Partridge, C., Strayer, W.T.: Hardware support for a hash-based IP traceback. In: Proceedings of the DARPA Information Survivability Conference and Exposition II, DISCEX’01 2001.

  50. Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for IP traceback. In: Proceedings of ACM SIGCOMM, August 2000

  51. Schnackenberg, D., Djahandari, K., Sterne, D.: Infrastructure for intrusion detection and response. In: Proceedings of the DARPA Information Survivability Conference and Exposition 2000, March 2000

  52. Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S., Strayer, W.T.: Hash-based IP traceback. In: Proceedings of the ACM SIGCOMM, August 2001

  53. Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of IEEE INFOCOMM, April 2001

  54. Stoica, I., Shenker, S., Zhang, H.: Core-stateless fair queueing: Achieving approximately fair bandwidth allocations in high speed networks. In: Proceedings of ACM SIGCOMM (1998)

  55. Stone, R.: An IP overlay network for tracking dos floods. In: Proceedings of USENIX Security Symposium (2000)

  56. Syverson, P.: Weakly secret bit commitment: Applications to lotteries and fair exchange. In: Proceedings of IEEE Computer Security Foundations Workshop (1998)

  57. Touch, J.: RFC 1810: Report on MD5 performance, June 1995. ftp://ftp.internic.net/rfc/rfc1810.txt, ftp://ftp.math.utah.edu/ pub/rfc/rfc1810.txt

  58. von Ahn, L., Blum, M., Hopper, N., Langford, J.: Captcha: Using hard ai problems for security. In: Proceedings of Eurocrypt, pp. 294–311 (2003)

  59. Wang, X.F., Reiter, M.: Defending against denial-of-service attacks with puzzle auctions. In: IEEE Symposium on Security and Privacy, May 2003

  60. Wang, X.F., Reiter, M.: Mitigating bandwidth-exhaustion attacks using congestion puzzles. In: Proceedings of the 11th ACM conference on Computer and Communication Security, November 2004

  61. Brent Waters, Ari Juels, J. Alex Halderman, and Edward W. Felten. New client puzzle outsourcing techniques for dos resistance. In: Proceedings of the 11th ACM conference on Computer and communications security. ACM Press (2004)

  62. Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against DDoS attacks. In: IEEE Symposium on Security and Privacy, May 2003. http://www.ece.cmu.edu/~adrian/projects/pi.ps

  63. Yaar, A., Perrig, A., Song, D.: An endhost capability mechanism to mitigate DDoS flooding attacks. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2004

  64. Yau, D., Liu, C., Liang, F.: Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In: Proceedings of IEEE International Workshop on Quality of Service (IWQoS-02) (2002)

Download references

Author information

Authors and Affiliations

  1. Indiana University at Bloomington, Bloomington, IN, USA

    XiaoFeng Wang

  2. Carnegie Mellon University, Pittsburgh, PA, USA

    Michael K. Reiter

Authors
  1. XiaoFeng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael K. Reiter
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to XiaoFeng Wang.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Wang, X., Reiter, M.K. A multi-layer framework for puzzle-based denial-of-service defense. Int. J. Inf. Secur. 7, 243–263 (2008). https://doi.org/10.1007/s10207-007-0042-x

Download citation

  • Received:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0042-x

Keywords

Search

Navigation