The case for TCP/IP puzzles

Since the Morris worm was unleashed in 1988, distributed denial-of-service (DDoS) attacks via worms and viruses have continued to periodically disrupt the Internet. Client puzzles have been proposed as one mechanism for protecting protocols against denial of service attacks. In this paper, we argue that such puzzles must be placed within the slim waistline of the TCP/IP protocol stack in order to truly provide protection. We then describe several scenarios in which TCP/IP puzzles could be used to thwart port scans and coordinated DDoS attacks. Finally, while puzzles hold the promise of being able to change the Internet landscape, we describe a large number of open research issues that must be resolved before such a vision can be achieved.

[1]  Kang G. Shin,et al.  The BLUE active queue management algorithms , 2002, TNET.

[2]  Pekka Nikander,et al.  DOS-resistant authentication with client puzzles. Discussion , 2001 .

[3]  Donald F. Towsley,et al.  Modeling TCP throughput: a simple model and its empirical validation , 1998, SIGCOMM '98.

[4]  Wu-chang Fengy,et al.  BLUE: A New Class of Active Queue Management Algorithms , 1999 .

[5]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[6]  Ted Wobber,et al.  Moderately hard, memory-bound functions , 2005, TOIT.

[7]  K. K. Ramakrishnan,et al.  A Proposal to add Explicit Congestion Notification (ECN) to IP , 1999, RFC.

[8]  Renaud Deraison,et al.  Nessus , 2003, login Usenix Mag..

[9]  Adam Stubblefield,et al.  Using Client Puzzles to Protect TLS , 2001, USENIX Security Symposium.

[10]  Steven H. Low,et al.  REM: active queue management , 2001, IEEE Netw..

[11]  Miguel Castro,et al.  Secure routing for structured peer-to-peer overlay networks , 2002, OSDI '02.

[12]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[13]  Steven H. Low,et al.  REM: active queue management , 2001, IEEE Network.

[14]  Daniel Massey,et al.  Observation and analysis of BGP behavior under stress , 2002, IMW '02.

[15]  Tuomas Aura DOS-Resistant Authentication with Client Puzzles (Transcript of Discussion) , 2000, Security Protocols Workshop.

[16]  Donald F. Towsley,et al.  On designing improved controllers for AQM routers supporting TCP flows , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[17]  Larry Peterson,et al.  TCP Vegas: new techniques for congestion detection and avoidance , 1994, SIGCOMM 1994.

[18]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[19]  W. Richard Stevens,et al.  TCP Slow Start, Congestion Avoidance, Fast Retransmit, and Fast Recovery Algorithms , 1997, RFC.

[20]  Michael Weber,et al.  Protecting web servers from distributed denial of service attacks , 2001, WWW '01.

[21]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[22]  Eugene H. Spafford,et al.  The internet worm: crisis and aftermath , 1989 .

[23]  Ari Juels,et al.  Client puzzles: A cryptographic defense against connection depletion , 1999 .

[24]  Bill Cheswick,et al.  Firewalls and internet security - repelling the wily hacker , 2003, Addison-Wesley professional computing series.

[25]  QUTdN QeO,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[26]  Grenville J. Armitage Revisiting IP QoS: why do we care, what have we learned? ACM SIGCOMM 2003 RIPQOS workshop report , 2003, CCRV.

[27]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[28]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[29]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[30]  T. V. Lakshman,et al.  SRED: stabilized RED , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[31]  Srinivasan Seshan,et al.  The Congestion Manager , 2001, RFC.

[32]  Eugene H. Spafford,et al.  Crisis and aftermath , 1989, Commun. ACM.

[33]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[34]  Rajesh Krishnan,et al.  Mitigating distributed denial of service attacks with dynamic resource pricing , 2001, Seventeenth Annual Computer Security Applications Conference.

[35]  Thomas G. Dietterich What is machine learning? , 2020, Archives of Disease in Childhood.

[36]  Pekka Nikander,et al.  Towards Network Denial of Service Resistant Protocols , 2000, SEC.

[37]  Kang G. Shin,et al.  Stochastic fair blue: a queue management algorithm for enforcing fairness , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[38]  Kang G. Shin,et al.  A self-configuring RED gateway , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).