IP Layer Client Puzzles: A Cryptographic Defense against DDoS Attack

Abstract

It is very common today that many business models are based on offering on-line services. Profitability and efficiency of this business model relies on a secure and undisturbed Internet infrastructure. Unfortunately, services offered on Internet infrastructure, being an Open and yet untrusted network, are very often targets of Denial-of-Service and Distributed Denial-of-Service attacks. These attacks are today a serious problem for on-line services offered by many business models. Preventing or minimizing DoS and DDoS is a difficult task which could serve to many on-line service offering business models to provide quality services to their clients. The main objective of this chapter is to present the Client Puzzle mechanism as a new method designed to defend business networks and their on-line services from these attacks. By using a client puzzle protocol on the IP level, the client is forced to solve a cryptographic puzzle before it can request any operation from a server, thus creating computational efforts and delays to illegitimate attackers and minimizing their attack effects on services. In this chapter, the authors show that chained puzzle protocol reduces the network and insfrastructure overhead because the servers do not have to generate puzzles on a per-packet basis. In addition, the chapter analyzes the effectiveness and some limitations of chained puzzles method with regards to minimizing DDoS attacks and outlines a general approach for addressing the identified limitations. At the last part, the authors propose a solution based on the general principle that under attack legitimate clients should be willing to experience some degradation in their performance in order to obtain the requested service.