A Puzzle-Based Defense Strategy Against Flooding Attacks Using Game Theory

In recent years, a number of puzzle-based defense mechanisms have been proposed against flooding denial-of-service (DoS) attacks in networks. Nonetheless, these mechanisms have not been designed through formal approaches and thereby some important design issues such as effectiveness and optimality have remained unresolved. This paper utilizes game theory to propose a series of optimal puzzle-based strategies for handling increasingly sophisticated flooding attack scenarios. In doing so, the solution concept of Nash equilibrium is used in a prescriptive way, where the defender takes his part in the solution as an optimum defense against rational attackers. This study culminates in a strategy for handling distributed attacks from an unknown number of sources.

[1]  Michael K. Reiter,et al.  Defending against denial-of-service attacks with puzzle auctions , 2003, 2003 Symposium on Security and Privacy, 2003..

[2]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[3]  Catherine A. Meadows,et al.  A Cost-Based Framework for Analysis of Denial of Service Networks , 2001, J. Comput. Secur..

[4]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[5]  Yuliang Zheng,et al.  A Method to Implement a Denial of Service Protection Base , 1997, ACISP.

[6]  Wu-chang Feng,et al.  The case for TCP/IP puzzles , 2003, FDNA '03.

[7]  Ari Juels,et al.  Client puzzles: A cryptographic defense against connection depletion , 1999 .

[8]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[9]  Françoise Forges Note on nash equilibria in infinitely repeated games with incomplete information , 1984 .

[10]  Qijun Gu,et al.  Denial of Service Attacks , 2012 .

[11]  Alan R. Rogers Game theory evolving: a problem-centered introduction to modeling and strategic behavior: Herbert Gintis; Princeton Univ. Press, Princeton NJ, 2000, xxxv+531 pp, ISBN 0691009430 (Paperback, US$29.95), ISBN 0691009422 (Cloth, US$55.00) , 2001 .

[12]  Vitaly Shmatikov,et al.  Game-based analysis of denial-of-service prevention protocols , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[13]  Pekka Nikander,et al.  DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[14]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[15]  Brent Waters,et al.  New client puzzle outsourcing techniques for DoS resistance , 2004, CCS '04.

[16]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[17]  Jelena Mirkovic,et al.  D-WARD: a source-end defense against flooding denial-of-service attacks , 2005, IEEE Transactions on Dependable and Secure Computing.

[18]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[19]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[20]  Dawn Xiaodong Song,et al.  SIFF: a stateless Internet flow filter to mitigate DDoS flooding attacks , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[21]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[22]  L. Buttyán,et al.  A Game Based Analysis of the Client Puzzle Approach to Defend Against DoS Attacks , 2003 .

[23]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[24]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[25]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[26]  F. Forges Repeated games of incomplete information: Non-zero-sum , 1992 .

[27]  Alex C. Snoeren,et al.  Hash-based IP traceback , 2001, SIGCOMM '01.

[28]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[29]  Ahmad R. Sharafat,et al.  A Framework for the Analysis of Denial of Service Attacks , 2004, Comput. J..

[30]  Wu-chi Feng,et al.  Design and implementation of network puzzles , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[31]  Markus G. Kuhn,et al.  Analysis of a denial of service attack on TCP , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[32]  Drew Fudenberg,et al.  The Folk Theorem in Repeated Games with Discounting or with Incomplete Information , 1986 .

[33]  D. Fudenberg,et al.  The Folk Theorem for Repeated Games with Discounting and Incomplete Information , 1998 .

[34]  Sergiu Hart,et al.  Nonzero-Sum Two-Person Repeated Games with Incomplete Information , 1985, Math. Oper. Res..

[35]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.