Abstract
Client puzzles have been advocated as a promising countermeasure to denial-of-service (DoS) attacks in recent years. However, how to operationalize this idea in network protocol stacks still has not been sufficiently studied. In this paper, we describe our research on a multi-layer puzzle-based DoS defense architecture, which embeds puzzle techniques into both end-to-end and IP-layer services. Specifically, our research results in two new puzzle techniques: puzzle auctions for end-to-end protection and congestion puzzles for IP-layer protection. We present the designs of these approaches and evaluations of their efficacy. We demonstrate that our techniques effectively mitigate DoS threats to IP, TCP and application protocols; maintain full interoperability with legacy systems; and support incremental deployment. We also provide a game theoretic analysis that sheds light on the potential to use client puzzles for incentive engineering: the costs of solving puzzles on an attackers’ behalf could motivate computer owners to more aggressively cleanse their computers of malware, in turn hindering the attacker from capturing a large number of computers with which it can launch DoS attacks.
Similar content being viewed by others
References
The network simulator - ns-2. http://www.isi.edu/nsnam/ns/
Overview of cisco 7500 series router. http://www.cisco.com/ en/US/products/hw/routers/ps359/prod_brochure09186a00800 9200c.html
Abadi, M., Burrow, M., Manasse, M., Wobber, T.: Moderately hard, memory-bound functions. In: Proceedings of the 10th Annual Network and Distributed System Security Symposium (2003)
Adkins, D., Lakshminarayanan, K., Perrig, A., Stoica, I.: Taming ip packet flooding attacks. In: Proceedings of Workshop on Hot Topics in Networks (HotNets-II). November (2003)
Adler, M.: Tradeoffs in probabilistic packet marking for IP traceback. In: Proceedings of 34th ACM Symposium on Theory of Computing (STOC-02) (2002)
Andersen, D.: Mayday: Distributed filtering for internet services. In: Proceeding of USITS (2003)
Anderson, T., Roscoe, T., Wetherall, D.: Preventing internet denial-of-service with capabilities. In: Proceedings of Workshop on Hot Topics in Networks (HotNets-II), November 2003
Argyraki, K., Cheriton, D.R.: Network capabilities: The good, the bad and the ugly. In: Proceedings of the 4th Workshop on Hot Topics in Networks, November 2005
Aura, T., Nikander, P., Leiwo, J.: Dos-resistant authentication with client puzzles. In: Proceedings of the Cambridge Security Protocols Worshop 2000. LNCS. Springer, Heidelberg (2000)
Internet Assigned Numbers Authority. ICMP type numbers. November, 2003. http://www.iana.org/assignments/icmp-parameters
Bellare, M., Rogaway, P.: Random oracle are practical: a paradigm for designing efficient protocols. In: Proceedings of First ACM Annual Conference on Computer and Communication Security (1993)
Bellovin, S.: Defending against sequence number attacks. In: RFC 1948, May 1996
Bellovin, S., Leech, M., Taylor, T.: The ICMP traceback messages. In: Internet-Draft, draft-ietf-itrace-01.txt, December 1999. ftp://ftp.ietf.org/internet-drafts/draft-ietf-itrace-01.txt
Bloom B.H. (1970). Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(7): 422–426
Boneh, D., Naor, M.: Timed commitments (extended abstract). In: Proceedings of Advances in Cryptology—CRYPTO’00. Lecture Notes in Computer Science, vol. 1880, pp. 236–254. Springer, Heidelberg (2000)
Burch, H., Cheswick, B.: Tracing anonymous packets to their approximate source. In: Proceedings of the 14th USENIX System Administration Conference, December 1999
Caida. Skitter. 2003. http://www.caida.org/tools/measurement/
CERT. Computer emergency response team, cert advisory ca-2001-01: Denial-of-service developments. 2000. http://staff.washington.edu/dittrich/misc/ddos
CERT. Advisory CA-96.21: TCP SYN flooding and IP spoofing attacks. 24 September 1996
Crosby, S.A., Dan, S.: Wallach. Denial of service via algorithmic complexity attacks. USENIX Security (2003)
Dean, D., Franklin, M., Stubblefield, A.: An algebraic approach to IP traceback. In: Proceedings of Network and Distributed System Security Symposium (NDSS-01), February 2001
Dean, D., Stubblefield, A.: Using client puzzles to protect tls. In: Proceedings of 10th Annual USENIX Security Symposium (2001)
Theodore Diament, Homin K. Lee, Angelos D. Keromytis, and Moti Yung. The dual receiver cryptosystem and its applications. In: Proceedings of the 11th ACM conference on Computer and communications security. ACM Press, New York (2004)
Dietrich, S., Long, N., Dittrich, D.: Analyzing distributed denial of service attack tools: The shaft case. In: Proceedings of 14th Systems Administration Conference, LISA 2000 (2000)
Dittrich, D.: Distributed denial of service (ddos) attacks/tools resource page (2000) http://staff.washington.edu/dittrich/misc/ddos
Dwork, C., Naor, M.: Pricing via processing or combating junk mail. In: Brickell, E. (ed.) Proceedings of ADVANCES IN CRYPTOLOGY—CRYPTO 92. Lecture Notes in Computer Science, vol. 1328, pp. 139–147. Springer, Heidelberg (1992)
Feng, W.: The case for TCP/IP puzzles. In: Proceedings of ACM SIGCOMM Future Directions in Network Architecture (FDNA-03) (2003)
Feng, W., Kaiser, E., Luu, A.: Design and implementation of network puzzles. In: Proceedings of IEEE INFOCOM (2005)
Ferguson, P., Senie, D.: RFC 2267: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing, January 1998. ftp://ftp.internic.net/rfc/rfc2267.txt, ftp://ftp.math.utah.edu/pub/rfc/rfc2267.txt
Franklin, M.K., Malkhi, D.: Auditable metering with lightweight security. In: Hirschfeld, R. (ed.) Proceedings of Financial Cryptography 97 (FC 97). Lecture Notes in Computer Science. Springer, Heidelberg (1997)
Garay, J.A., Jakobsson, M.: Timed release of standard digital signatures. In: Proceedings of Financial Cryptography (2002)
Geng X. and Whinston A. (2000). Defeating distributed denial of service attacks. IEEE IT Profes. 2(4): 36–41
Gligor, V.G.: Guaranteeing access in spite of service-flooding attack. In: Hirschfeld, R. (ed.) Proceedings of the Security Protocols Workshop. Lecture Notes in Computer Science. Springer, Heidelberg (2004)
Goldschlag, D.M., Stubblebine, S.G.: Publically verifiable lotteries: Applications of delaying functions (extend abstract). In: Proceedings of Financial Cryptography (1998)
Houle, K., Weaver, G., Long, N., Thomas, R.: Trends in denial of service attack technology. October 2001. http://www.cert.org/archive/pdf/DoS_trends.pdf
Ioannidis, J., Bellovin, S.: Implementing pushback: Router-based defense against ddos attacks. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS-02) (2002)
Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed traffic. In: Proceedings of ACM CCS (2003)
Juels, A., Brainard, J.: Client puzzle: a cryptographic defense against connection depletion attacks. In: Kent, S. (ed.) Proceedings of NDSS’99, pp. 151–165 (1999)
Keromytis, A., Misra, V., Rubenstein, D.: SOS: Secure overlay services. In: Proceedings of ACM SIGCOMM, August (2002)
Lemmon, J.: Resisting syn flood dos attacks with a syn cache. In: Leffler, S.J. (ed.) Proceedings of BSDCon 2002. USENIX, 2002, February 11–14
Li, J., Mirkovic, J., Wang, M.: Save: Source address validity enforcement protocol. In: Proceedings of IEEE INFOCOM (2002)
Mahajan R., Bellovin S., Floyd S., Ioannidis J., Paxson V. and Shenker S. (2002). Controlling high bandwidth aggregates in the network. CCR 32(3): 62–73
Meadows and C. (2001). A cost-based framework for analysis of denial of service networks. J. Comput. Secur. 9: 143–164
Merkle R.C. (1978). Secure communications over insecure channels. Commun. ACM 21: 294–299
Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using graphic turing tests to counter automated ddos attacks against web servers. In: Proceedings of ACM CCS (2003)
Postel, J.: RFC 792: Internet Control Message Protocol, September 1981. ftp://ftp.internic.net/rfc/rfc792.txt
Qie, X., Pang, R., Peterson, L.: Defensive programming: Using an annotation toolkit to build dos-resistant software. In: Proceedings of the 5th OSDI Symposium, December 2002
Rivest, R.L., Shamir, A., Wagner, D.: Time-lock puzzles and timed-release crypto. Manuscript, 10 March 1996
Sanchez, L., Milliken, W.C., Snoeren, A., Tchakountio, F., Jones, C., Kent, S., Partridge, C., Strayer, W.T.: Hardware support for a hash-based IP traceback. In: Proceedings of the DARPA Information Survivability Conference and Exposition II, DISCEX’01 2001.
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network support for IP traceback. In: Proceedings of ACM SIGCOMM, August 2000
Schnackenberg, D., Djahandari, K., Sterne, D.: Infrastructure for intrusion detection and response. In: Proceedings of the DARPA Information Survivability Conference and Exposition 2000, March 2000
Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S., Strayer, W.T.: Hash-based IP traceback. In: Proceedings of the ACM SIGCOMM, August 2001
Song, D., Perrig, A.: Advanced and authenticated marking schemes for IP traceback. In: Proceedings of IEEE INFOCOMM, April 2001
Stoica, I., Shenker, S., Zhang, H.: Core-stateless fair queueing: Achieving approximately fair bandwidth allocations in high speed networks. In: Proceedings of ACM SIGCOMM (1998)
Stone, R.: An IP overlay network for tracking dos floods. In: Proceedings of USENIX Security Symposium (2000)
Syverson, P.: Weakly secret bit commitment: Applications to lotteries and fair exchange. In: Proceedings of IEEE Computer Security Foundations Workshop (1998)
Touch, J.: RFC 1810: Report on MD5 performance, June 1995. ftp://ftp.internic.net/rfc/rfc1810.txt, ftp://ftp.math.utah.edu/ pub/rfc/rfc1810.txt
von Ahn, L., Blum, M., Hopper, N., Langford, J.: Captcha: Using hard ai problems for security. In: Proceedings of Eurocrypt, pp. 294–311 (2003)
Wang, X.F., Reiter, M.: Defending against denial-of-service attacks with puzzle auctions. In: IEEE Symposium on Security and Privacy, May 2003
Wang, X.F., Reiter, M.: Mitigating bandwidth-exhaustion attacks using congestion puzzles. In: Proceedings of the 11th ACM conference on Computer and Communication Security, November 2004
Brent Waters, Ari Juels, J. Alex Halderman, and Edward W. Felten. New client puzzle outsourcing techniques for dos resistance. In: Proceedings of the 11th ACM conference on Computer and communications security. ACM Press (2004)
Yaar, A., Perrig, A., Song, D.: Pi: A path identification mechanism to defend against DDoS attacks. In: IEEE Symposium on Security and Privacy, May 2003. http://www.ece.cmu.edu/~adrian/projects/pi.ps
Yaar, A., Perrig, A., Song, D.: An endhost capability mechanism to mitigate DDoS flooding attacks. In: Proceedings of the IEEE Symposium on Security and Privacy, May 2004
Yau, D., Liu, C., Liang, F.: Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles. In: Proceedings of IEEE International Workshop on Quality of Service (IWQoS-02) (2002)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Wang, X., Reiter, M.K. A multi-layer framework for puzzle-based denial-of-service defense. Int. J. Inf. Secur. 7, 243–263 (2008). https://doi.org/10.1007/s10207-007-0042-x
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-007-0042-x