by Brent Waters, John A. Halderman, Ari Juels, Edward W. Felten
http://www.cs.princeton.edu/~bwaters/research/outsource_paper.pdf
Add To MetaCart
Abstract:
We explore new techniques for the use of cryptographic puzzles as a countermeasure to Denial-of-Service (DoS) attacks. We propose simple new techniques that permit the outsourcing of puzzles, meaning their distribution via a robust external service that we call a bastion. Many servers can rely on puzzles distributed by a single bastion. We show how a bastion, somewhat surprisingly, need not know which servers rely on its services. Indeed, in one of our constructions, a bastion may consist merely of a publicly accessible random data source, rather than a server. Our outsourcing techniques help eliminate puzzle distribution as a point of compromise. Our method has three main advantages over prior approaches. First, our method is more resistant to DoS attacks that are aimed at the puzzle mechanism itself, withstanding more than 80 % more attack traffic than previous methods, according to our experiments. Second, our method is cheap enough to apply at the IP level, though it also works at higher levels of the protocol stack. Third, our method allows clients to solve puzzles offline, so that users do not have to sit and wait while their computers solve puzzles. We present a prototype implementation of our approach, and we describe experiments that validate our performance claims.
Citations
|
1752
|
New directions in cryptography
– Diffie, Hellman
- 1976
|
|
351
|
Practical network support for ip traceback
– Savage, Wetherall, et al.
- 2000
|
|
162
|
Advanced and authenticated marking schemes for ip traceback
– Song, Perrig
- 2001
|
|
151
|
Controlling high bandwidth aggregates in the network
– Mahajan, Bellovin, et al.
- 2002
|
|
139
|
An algebraic approach to ip traceback
– Dean, Franklin, et al.
- 2002
|
|
130
|
Centertrack: An IP overlay network for tracking denial-ofservice floods. Presentation at The North
– Stone
- 1999
|
|
128
|
Identity Based Encryption from the Weil Pairing
– Boneh, Franklin
- 2003
|
|
115
|
Pricing via Processing or Combatting Junk Mail
– Dwork, Naor
- 1992
|
|
112
|
A signal analysis of network traffic anomalies
– Barford, Kline, et al.
- 2002
|
|
110
|
SoS: secure overlay services
– Keromytis, Misra, et al.
- 2002
|
|
87
|
Secure communications over insecure channels
– Merkle
- 1978
|
|
85
|
Client puzzles: A cryptographic countermeasure against connection depletion attacks
– Juels, Brainard
- 1999
|
|
79
|
Using client puzzles to protect TLS
– Dean, Stubblefield
- 2001
|
|
77
|
Dos-resistant Authen-tication with Client Puzzles
– Aura, Nikander, et al.
- 1996
|
|
72
|
Pi: A Path Identification Mechanism to Defend against DDoS Attacks
– Yaar, Song
- 2003
|
|
70
|
Captcha: Using hard AI problems for security
– Ahn, Blum, et al.
- 2003
|
|
61
|
Mayday: Distributed Filtering for Internet services
– Andersen
- 2003
|
|
56
|
Preventing Internet Denial-of-Service with Capabilities
– Anderson, Roscoe, et al.
- 2003
|
|
54
|
On memory-bound functions for fighting spam
– Dwork, Goldberg, et al.
- 2003
|
|
54
|
Time-lock Puzzles and Timed-release Crypto
– Rivest, Shamir, et al.
- 1996
|
|
53
|
Moderately hard, memory-bound functions
– Abadi, Burrows, et al.
- 2003
|
|
38
|
Tradeoffs in probabilistic packet marking for IP traceback
– Adler
- 2002
|
|
36
|
Taming IP packet flooding attacks
– Lakshminarayanan, Adkins, et al.
- 2003
|
|
34
|
Auditable Metering with Lightweight Security
– Franklin, Malkhi
|
|
33
|
Defending against denial-ofservice attacks with puzzle auctions
– Wang, Reiter
- 2003
|
|
29
|
Proofs of work and bread pudding protocols
– Jakobsson, Juels
- 1999
|
|
17
|
Curbing Junk E-Mail via Secure Classification
– Gabber, Jakobsson, et al.
- 1998
|
|
12
|
Guaranteeing access in spite of service-flooding attacks
– Gligor
- 2003
|
|
10
|
Security of discrete log cryptosystems in the random oracle + generic model
– Schnorr, Jakobsson
- 1999
|
|
8
|
Publicly verifiable lotteries: Applications of delaying functions
– Goldschlag, Stubblebine
- 1998
|
|
3
|
A framework for classifying denial-of-service attacks
– Hussain, Heidemann, et al.
- 2003
|
|
2
|
Hashcash - a denial-of-service countermeasure, 2002. Original system developed in
– Back
- 1997
|
|
1
|
Crypto 5.1 benchmarks. Web site at http://www.eskimo.com/ weidai/benchmarks.html
– Dai
|
|
1
|
Security Protocol Charter. Web site at http://www.ietf.org/html.charters/ipsec-charter.html
– IP
|
