Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten.

Published byRosalind King Modified over 9 years ago

Similar presentations

Presentation on theme: "New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten."— Presentation transcript:

1 New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten

2 Motivation Client puzzle mechanism can become the target of DoS attacks Servers have to validate solutions which require resources Servers have to validate solutions which require resources Puzzles must be solved online User time is more important than CPU time User time is more important than CPU time

3 Properties of the Proposed Solution The creation of puzzles is outsourced to a secure entity, the bastion Creates puzzle with no regard to which server is going to use them Creates puzzle with no regard to which server is going to use them Verifying puzzle solutions is a table lookup Clients can solve puzzles offline ahead of time A puzzle solution gives access to a virtual channel for a short time period

4 Puzzle Properties Unique puzzle solutions Each puzzle has a unique solution Each puzzle has a unique solution Per-channel puzzle distribution Puzzles are unique per each (server, channel, time period) triplet Puzzles are unique per each (server, channel, time period) triplet Per-channel puzzle solution If a client has a solution for one channel, he can calculate a solution for another server with the same channel easily If a client has a solution for one channel, he can calculate a solution for another server with the same channel easily

5 Priv: X 1 Router Pub: Y 1 Virtual Channels Bastion G: A group of prime numbers with generator g. Pick r c,t  Z q a c,t  [r c,t, (r c,t + l) mod q] Let g c,t = g f’(a), puzzle  c,t = (g c,t, r c,t )  c,t  c,t for all channels Enumerate l values to solve a c,t Solution is  c,t = Y 1 f’(a) Take the easy way  c,t = g c,t X1

6 Priv: X 1 Server 1 Pub: Y 1 Virtual Channels Server 1:  c,t = Y 1 f’(a)  c,t = g c,t X1 Server 2:  c,t = Y 2 f’(a) Server 3:  c,t = Y 3 f’(a) Priv: X 2 Server 2 Virtual Channels  c,t = g c,t X2 Priv: X 3 Server 3 Virtual Channels  c,t = g c,t X3 Pub: Y 2 Pub: Y 3

7 System Description Solutions for puzzles are only valid for the time period t. (Order of minutes) Client: During T i, download puzzles for T i+1 and solve During T i, download puzzles for T i+1 and solve Check to see if server has a public key Check to see if server has a public key If so append puzzle solutions to messages If so append puzzle solutions to messagesServer: During T i, download and solve all puzzles for T i+1 During T i, download and solve all puzzles for T i+1 If server is under attack only accept requests that have valid tokens If server is under attack only accept requests that have valid tokens Checking puzzle solution is a simple table lookup Checking puzzle solution is a simple table lookup

8 Communication Public key: Y Puzzle index: c Token:  c,t Token:  c,t+1 c Client uses option field in TCP SYN to relay the token Only the first 48 bits of the solution is used The server determines the virtual channel Server limits new connection per channel Virtual Channels

9 Resilience Against Attacks 2.1 GHz Pentium can process 1024-bit DH key in 3.7ms. With 5% recourse it can populate tokens for 16,000 virtual channels. If s=2, every client can solve at least one puzzle and half of them can solve at least two If attacker has 50 zombie machines, it can create 2*50*2 = 200 puzzle solutions occupying 1.25% of the channels If attacker has 50 zombie machines, it can create 2*50*2 = 200 puzzle solutions occupying 1.25% of the channels Probability of a benign user not getting a normal channel <.625% Probability of a benign user not getting a normal channel <.625%

10 Experiment Puzzle checking (table lookup) is implemented at kernel lvl After the routing and before the packet reaches higher level protocols like TCP Simulate conventional puzzles by replacing the lookup code with a SHA-1 hash computation Simulate syncookies by allowing Linux to send an ACK packet back

11

Download ppt "New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten."

Similar presentations

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Ari Juels and John Brainard RSA Laboratories.
Security Issues In Mobile IP

Security Issues In Mobile IP
Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
CS162 Section Lecture 9. KeyValue Server Project 3 KVClient (Library) Client Side Program KVClient (Library) Client Side Program KVClient (Library) Client.

CS162 Section Lecture 9. KeyValue Server Project 3 KVClient (Library) Client Side Program KVClient (Library) Client Side Program KVClient (Library) Client.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Network Access Control for Mobile Ad Hoc Network Pan Wang North Carolina State University.

Network Access Control for Mobile Ad Hoc Network Pan Wang North Carolina State University.
12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.

12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.
LAAC: A Location-Aware Access Control Protocol YounSun Cho, Lichun Bao and Michael T. Goodrich IWUAC 2006.

LAAC: A Location-Aware Access Control Protocol YounSun Cho, Lichun Bao and Michael T. Goodrich IWUAC 2006.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.

Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.

Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Similar presentations

Ads by Google