论文信息 - Using Client Puzzles to Mitigate Distributed Denial of Service Attacks in the Tor Anonymous Routing Environment

Using Client Puzzles to Mitigate Distributed Denial of Service Attacks in the Tor Anonymous Routing Environment

A novel client puzzle protocol, the memoryless puzzle protocol (MPP), is proposed and investigated. The goal is to show that MPP is a viable solution for mitigating distributed denial-of-service (DDoS) attacks in an anonymous routing environment. One such environment, Tor, provides anonymity for interactive Internet services. However, Tor relies on the transport layer security (TLS) protocol, making it vulnerable to distributed denial-of-service (DDoS) attacks. Although client puzzles are often proposed as a solution to denial-of-service attacks, this research is the first to explore TLS DDoS attack mitigation in the Tor anonymous routing environment. Using the MPP, the central processing unit (CPU) utilization and user-data latency measures are analyzed under four increasing DDoS attack intensities and four different puzzle probability distribution levels. For results, typical CPU utilization rates of 80-100% drop to below 70% signifying successful mitigation. Furthermore, even if a client only has a 30% chance of receiving a puzzle or the maximum puzzle strength is used, MPP effectively mitigates attacks. Finally, user-data latency decreases approximately 50% under large-scale attacks. Hence, the MPP is a suitable solution for increasing the robustness and reliability of Tor.

Barry E. Mullins | Rusty O. Baldwin | Richard A. Raines | Douglas J. Kelly | Nicholas A. Fraser

[1] Adam Stubblefield,et al. Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[2] David G. Andersen,et al. Proceedings of Usits '03: 4th Usenix Symposium on Internet Technologies and Systems Mayday: Distributed Filtering for Internet Services , 2022 .

[3] Pekka Nikander,et al. Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[4] Nick Mathewson,et al. Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[5] Thorsten Holz. A Short Visit to the Bot Zoo , 2005, IEEE Secur. Priv..

[6] Gene Tsudik,et al. Improving secure server performance by re-balancing SSL/TLS handshakes , 2006, ASIACCS '06.

[7] Bill McCarty,et al. Botnets: Big and Bigger , 2003, IEEE Secur. Priv..

[8] Pekka Nikander,et al. DOS-Resistant Authentication with Client Puzzles , 2000, Security Protocols Workshop.

[9] Angelos D. Keromytis,et al. Secure Overlay Services (SOS) , 2004 .

[10] David Moore,et al. The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[11] Alphonse Karr. Worms and Viruses and Botnets, Oh My! Rational Responses to Emerging Internet Threats , 2006 .

[12] Ari Juels,et al. Client puzzles: A cryptographic defense against connection depletion , 1999 .

[13] Raj K. Puri. Bots & Botnet: An Overview , 2003 .

[14] Ted Wobber,et al. Moderately hard, memory-bound functions , 2005, TOIT.

[15] Hugo Krawczyk,et al. HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.