Abstract
Denial of Service (DoS) attacks pose a fast-growing threat to network services in the Internet, but also corporate Intranets and public local area networks like Wi-Fi hotspots may be affected. Especially protocols that perform authentication and key exchange relying on expensive public key cryptography are likely to be preferred targets. A well-known countermeasure against resource depletion attacks are client puzzles.Most existing client puzzle schemes are interactive. Upon receiving a request the server constructs a puzzle and asks the client to solve this challenge before processing its request. But the packet with the puzzle parameters sent from server to client lacks authentication. The attacker might mount a counterattack on the clients by injecting faked packets with bogus puzzle parameters bearing the server’s sender address. A client receiving a plethora of bogus challenges may become overloaded and probably will not be able to solve the genuine challenge issued by the authentic server. Thus, its request remains unanswered. In this paper we introduce a secure client puzzle architecture that overcomes the described authentication issue. In our scheme client puzzles are employed noninteractively and constructed by the client from a periodically changing, secure random beacon. A special beacon server broadcasts beacon messages which can be easily verified by matching their hash values against a list of beacon fingerprints that has been obtained in advance. We develop sophisticated techniques to provide a robust beacon service. This involves synchronization aspects and especially the secure deployment of beacon fingerprints.
Keywords
- network security
- Denial of Service (DoS)
- client puzzles
- authentication
- public key cryptography
Download conference paper PDF
References
Abadi, M., Burrows, M., Manasse, M., Wobber, T.: Moderately Hard, Memory-bound Functions. ACM Transactions on Internet Technology 5, 299–327 (2005)
Aura, T., Nikander, P., Leiwo, J.: DOS-Resistant Authentication with Client Puzzles. Revised Papers from the 8th International Workshop on Security Protocols, pp. 170–177 (April 2001)
Back, A.: Hashcash - A Denial of Service Counter-Measure (August 2002), http://www.hashcash.org/papers/hashcash.pdf
Chen, L., Morrissey, P., Smart, N.P., Warinschi, B.: Security Notions and Generic Constructions for Client Puzzles. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 505–523. Springer, Heidelberg (2009)
Dean, D., Stubblefield, A.: Using Client Puzzles to Protect TLS. In: SSYM 2001: Proceedings of the 10th USENIX Security Symposium (August 2001)
Feng, W.-C., Kaiser, E., Feng, W.-C., Luu, A.: The Design and Implementation of Network Puzzles. In: INFOCOM 2005: Proceedings of the 24th IEEE Conference on Computer Communications, pp. 2372–2382 (March 2005)
Hlavacs, H., Gansterer, W.N., Schabauer, H., Zottl, J., Petraschek, M., Hoeher, T., Jung, O.: Enhancing ZRTP by using Computational Puzzles. Journal of Universal Computer Science 14(5), 693–716 (2008)
Jerschow, Y.I., Lochert, C., Scheuermann, B., Mauve, M.: CLL: A Cryptographic Link Layer for Local Area Networks. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 21–38. Springer, Heidelberg (2008)
Jerschow, Y.I., Mauve, M.: Non-Parallelizable and Non-Interactive Client Puzzles from Modular Square Roots. In: ARES 2011: Proceedings of the 6th International Conference on Availability, Reliability and Security, pp. 135–142 (August 2011)
Jerschow, Y.I., Scheuermann, B., Mauve, M.: Counter-Flooding: DoS Protection for Public Key Handshakes in LANs. In: ICNS 2009: Proceedings of the 5th International Conference on Networking and Services, pp. 376–382 (April 2009)
Juels, A., Brainard, J.G.: Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks. In: NDSS 1999: Proceedings of the Network and Distributed System Security Symposium (February 1999)
Lloyd, J.: Botan: a BSD-licensed crypto library for C++, http://botan.randombit.net
Martinovic, I., Zdarsky, F.A., Wilhelm, M., Wegmann, C., Schmitt, J.B.: Wireless Client Puzzles in IEEE 802.11 Networks: Security by Wireless. In: WiSec 2008: Proceedings of the ACM Conference on Wireless Network Security (March 2008)
Peng, T., Leckie, C., Ramamohanarao, K.: Survey of Network-Based Defense Mechanisms Countering the DoS and DDoS Problems. ACM Computing Surveys 39(1), 3 (2007)
Schaller, P., Čapkun, S., Basin, D.: BAP: Broadcast Authentication Using Cryptographic Puzzles. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 401–419. Springer, Heidelberg (2007)
Tang, Q., Jeckmans, A.: On Non-Parallelizable Deterministic Client Puzzle Scheme with Batch Verification Modes. Centre for Telematics and Information Technology, University of Twente (January 2010), http://doc.utwente.nl/69557/
Tritilanunt, S., Boyd, C., Foo, E., González Nieto, J.M.: Toward Non-parallelizable Client Puzzles. In: Bao, F., Ling, S., Okamoto, T., Wang, H., Xing, C. (eds.) CANS 2007. LNCS, vol. 4856, pp. 247–264. Springer, Heidelberg (2007)
von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: Using Hard AI Problems For Security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003)
Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., Shenker, S.: DDoS Defense by Offense. In: SIGCOMM 2006: Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 303–314 (September 2006)
Wang, X., Reiter, M.K.: A multi-layer framework for puzzle-based denial-of-service defense. International Journal of Information Security 7, 243–263 (2008)
Waters, B., Juels, A., Alex Halderman, J., Felten, E.W.: New Client Puzzle Outsourcing Techniques for DoS Resistance. In: CCS 2004: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 246–256 (October 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Jerschow, Y.I., Mauve, M. (2012). Secure Client Puzzles Based on Random Beacons. In: Bestak, R., Kencl, L., Li, L.E., Widmer, J., Yin, H. (eds) NETWORKING 2012. NETWORKING 2012. Lecture Notes in Computer Science, vol 7290. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30054-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-30054-7_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30053-0
Online ISBN: 978-3-642-30054-7
eBook Packages: Computer ScienceComputer Science (R0)
