IP Layer Client Puzzles: A Cryptographic Defense against DDoS Attack

IP Layer Client Puzzles: A Cryptographic Defense against DDoS Attack

Genti Daci (Polytechnic University of Tirana, Albania) and Rezarta Jaupi (Polytechnic University of Tirana, Albania)
DOI: 10.4018/978-1-4666-3946-1.ch002


It is very common today that many business models are based on offering on-line services. Profitability and efficiency of this business model relies on a secure and undisturbed Internet infrastructure. Unfortunately, services offered on Internet infrastructure, being an Open and yet untrusted network, are very often targets of Denial-of-Service and Distributed Denial-of-Service attacks. These attacks are today a serious problem for on-line services offered by many business models. Preventing or minimizing DoS and DDoS is a difficult task which could serve to many on-line service offering business models to provide quality services to their clients. The main objective of this chapter is to present the Client Puzzle mechanism as a new method designed to defend business networks and their on-line services from these attacks. By using a client puzzle protocol on the IP level, the client is forced to solve a cryptographic puzzle before it can request any operation from a server, thus creating computational efforts and delays to illegitimate attackers and minimizing their attack effects on services. In this chapter, the authors show that chained puzzle protocol reduces the network and insfrastructure overhead because the servers do not have to generate puzzles on a per-packet basis. In addition, the chapter analyzes the effectiveness and some limitations of chained puzzles method with regards to minimizing DDoS attacks and outlines a general approach for addressing the identified limitations. At the last part, the authors propose a solution based on the general principle that under attack legitimate clients should be willing to experience some degradation in their performance in order to obtain the requested service.
Chapter Preview

2. Client Puzzle Protocol

A cryptographic puzzle is a cryptogram that is encrypted with a strong encryption function and a part of the solution is revealed to the solver. Thus, a puzzle would consist of a plaintext, a ciphertext, and a part of the key. The remaining unknown bits of the key would be the solution to the puzzle. In order for the solver to find the solution to the puzzle, a brute-force approach must be applied that tries random values for the remaining bits of the key and then checks the value of the ciphertext to determine if the correct key has been found.

The properties of client puzzle (Aura, Nikander, & Leiwo, 2000) are:

  • 1.

    Creating a puzzle and verifying the solution is inexpensive for the server.

  • 2.

    The cost of solving the puzzle is easy to adjust from zero to impossible.

  • 3.

    The puzzle can be solved on most types of client hardware.

  • 4.

    While the client is solving the puzzle, the server does not need to store the solution or other client specific data.

  • 5.

    The puzzle should be solved in a predetermined amount of time.

  • 6.

    Puzzle solution must be unique.

Natural choice for a client puzzle is the brute force, reversal of hash functions such as MD5 or SHA1 since they have a simple structure and can run on a variety of hardware platforms.

Complete Chapter List

Search this Book: