Abstract
We explore new techniques for the use of cryptographic puzzles as a countermeasure to Denial-of-Service (DoS) attacks. We propose simple new techniques that permit the out-sourcing of puzzles - their distribution via a robust external service that we call a bastion. Many servers can rely on puzzles distributed by a single bastion. We show how a bastion, somewhat surprisingly, need not know which servers rely on its services. Indeed, in one of our constructions, a bastion may consist merely of a publicly accessible random data source, rather than a special purpose server. Our out-sourcing techniques help eliminate puzzle distribution as a point of compromise. Our design has three main advantages over prior approaches. First, it is more resistant to DoS attacks aimed at the puzzle mechanism itself, withstanding over 80% more attack traffic than previous methods in our experiments. Second, our scheme is cheap enough to apply at the IP level, though it also works at higher levels of the protocol stack. Third, our method allows clients to solve puzzles offline, reducing the need for users to wait while their computers solve puzzles. We present a prototype implementation of our approach, and we describe experiments that validate our performance claims.
Original language | English (US) |
---|---|
Pages (from-to) | 246-256 |
Number of pages | 11 |
Journal | Proceedings of the ACM Conference on Computer and Communications Security |
DOIs | |
State | Published - 2004 |
Event | Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 - Washington, DC, United States Duration: Oct 25 2004 → Oct 29 2004 |
All Science Journal Classification (ASJC) codes
- Software
- Computer Networks and Communications
Keywords
- Client Puzzles
- Denial-of-Service
- DoS