New client puzzle outsourcing techniques for DoS resistance

We explore new techniques for the use of cryptographic puzzles as a countermeasure to Denial-of-Service (DoS) attacks. We propose simple new techniques that permit the out-sourcing of puzzles; their distribution via a robust external service that we call a bastion. Many servers can rely on puzzles distributed by a single bastion. We show how a bastion, somewhat surprisingly, need not know which servers rely on its services. Indeed, in one of our constructions, a bastion may consist merely of a publicly accessible random data source, rather than a special purpose server. Our out-sourcing techniques help eliminate puzzle distribution as a point of compromise. Our design has three main advantages over prior approaches. First, it is more resistant to DoS attacks aimed at the puzzle mechanism itself, withstanding over 80% more attack traffic than previous methods in our experiments. Second, our scheme is cheap enough to apply at the IP level, though it also works at higher levels of the protocol stack. Third, our method allows clients to solve puzzles offline, reducing the need for users to wait while their computers solve puzzles. We present a prototype implementation of our approach, and we describe experiments that validate our performance claims.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  Ralph C. Merkle,et al.  Secure communications over insecure channels , 1978, CACM.

[3]  Moni Naor,et al.  Pricing via Processing or Combatting Junk Mail , 1992, CRYPTO.

[4]  Ronald L. Rivest,et al.  Time-lock Puzzles and Timed-release Crypto , 1996 .

[5]  Markus Jakobsson,et al.  Curbing Junk E-Mail via Secure Classification , 1998, Financial Cryptography.

[6]  Stuart G. Stubblebine,et al.  Publicly Verifiable Lotteries: Applications of Delaying Functions , 1998, Financial Cryptography.

[7]  Matthew K. Franklin,et al.  Auditable Metering with Lightweight Security , 1997, J. Comput. Secur..

[8]  Markus Jakobsson,et al.  Proofs of Work and Bread Pudding Protocols , 1999, Communications and Multimedia Security.

[9]  John G. Brainard,et al.  Client Puzzles: A Cryptographic Countermeasure Against Connection Depletion Attacks , 1999, NDSS.

[10]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[11]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[12]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[13]  Kevin Barraclough,et al.  I and i , 2001, BMJ : British Medical Journal.

[14]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[15]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[16]  Matthew K. Franklin,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[17]  Micah Adler Tradeoffs in probabilistic packet marking for IP traceback , 2002, STOC '02.

[18]  Adam Back,et al.  Hashcash - A Denial of Service Counter-Measure , 2002 .

[19]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[20]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[21]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[22]  Moni Naor,et al.  On Memory-Bound Functions for Fighting Spam , 2003, CRYPTO.

[23]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[24]  John Langford,et al.  CAPTCHA: Using Hard AI Problems for Security , 2003, EUROCRYPT.

[25]  David G. Andersen Mayday: Distributed Filtering for Internet Services , 2003, USENIX Symposium on Internet Technologies and Systems.

[26]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[27]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[28]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[29]  Virgil D. Gligor,et al.  Guaranteeing Access in Spite of Distributed Service-Flooding Attacks (Discussion) , 2003, Security Protocols Workshop.

[30]  Ion Stoica,et al.  Taming IP packet flooding attacks , 2004, Comput. Commun. Rev..

[31]  David Wetherall,et al.  Preventing Internet denial-of-service with capabilities , 2004, Comput. Commun. Rev..

[32]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[33]  M. Jakobsson,et al.  Security of Discrete Log Cryptosystems in the Random Oracle and the Generic Model , 2005 .