Rate limiting client puzzle schemes for denial-of-service mitigation

Denial-of-service (DoS) attacks are on the rise in recent years and many cryptographic client puzzle schemes have been proposed for mitigating such attacks. Nonetheless, these schemes lack a strategy for setting the puzzle difficulty parameter which is an important issue for the legitimate users as they should not be unfairly delayed during low server loads. In this paper, we propose a leaky bucket rate limiting queue mechanism to set the puzzle difficulty according to a queue delay. This mechanism will rate limit the number of incoming requests to prevent server overloading. As a result, DoS attackers have to spend more time to solve harder puzzles which reduces their rate of attack success. We compare the effectiveness of the proposed mechanism on both hash reversal and repeated squaring client puzzles. We also demonstrate that the latter provides better DoS resistance as it ensures a lower server load and does not unfairly penalize mobile device users unnecessarily.

[1]  Zhang Chao-yang DOS Attack Analysis and Study of New Measures to Prevent , 2011, 2011 International Conference on Intelligence Science and Information Engineering.

[2]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[3]  Qiang Tang,et al.  On Non-Parallelizable Deterministic Client Puzzle Scheme with Batch Verification Modes , 2010 .

[4]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[5]  Colin Boyd,et al.  Toward Non-parallelizable Client Puzzles , 2007, CANS.

[6]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[7]  Ghassan O. Karame,et al.  Low-Cost Client Puzzles Based on Modular Exponentiation , 2010, ESORICS.

[8]  Catargiu Raluca,et al.  TLS protocol: Secure protocol with Client Puzzles , 2010, 2010 9th International Symposium on Electronics and Telecommunications.

[9]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[10]  Tuomas Aura DOS-Resistant Authentication with Client Puzzles (Transcript of Discussion) , 2000, Security Protocols Workshop.

[11]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[12]  Ari Juels,et al.  $evwu Dfw , 1998 .

[13]  Brent Waters,et al.  New client puzzle outsourcing techniques for DoS resistance , 2004, CCS '04.

[14]  Wu-chi Feng,et al.  Design and implementation of network puzzles , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[15]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[16]  Michael K. Reiter,et al.  Mitigating bandwidth-exhaustion attacks using congestion puzzles , 2004, CCS '04.

[17]  Bogdan Warinschi,et al.  Security Notions and Generic Constructions for Client Puzzles , 2009, ASIACRYPT.