New client puzzle outsourcing techniques for DoS resistance

Brent Waters, Ari Juels, J. Alex Halderman, Edward W. Felten

Research output: Contribution to journalConference articlepeer-review

115 Scopus citations


We explore new techniques for the use of cryptographic puzzles as a countermeasure to Denial-of-Service (DoS) attacks. We propose simple new techniques that permit the out-sourcing of puzzles - their distribution via a robust external service that we call a bastion. Many servers can rely on puzzles distributed by a single bastion. We show how a bastion, somewhat surprisingly, need not know which servers rely on its services. Indeed, in one of our constructions, a bastion may consist merely of a publicly accessible random data source, rather than a special purpose server. Our out-sourcing techniques help eliminate puzzle distribution as a point of compromise. Our design has three main advantages over prior approaches. First, it is more resistant to DoS attacks aimed at the puzzle mechanism itself, withstanding over 80% more attack traffic than previous methods in our experiments. Second, our scheme is cheap enough to apply at the IP level, though it also works at higher levels of the protocol stack. Third, our method allows clients to solve puzzles offline, reducing the need for users to wait while their computers solve puzzles. We present a prototype implementation of our approach, and we describe experiments that validate our performance claims.

Original languageEnglish (US)
Pages (from-to)246-256
Number of pages11
JournalProceedings of the ACM Conference on Computer and Communications Security
StatePublished - 2004
EventProceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004 - Washington, DC, United States
Duration: Oct 25 2004Oct 29 2004

All Science Journal Classification (ASJC) codes

  • Software
  • Computer Networks and Communications


  • Client Puzzles
  • Denial-of-Service
  • DoS


Dive into the research topics of 'New client puzzle outsourcing techniques for DoS resistance'. Together they form a unique fingerprint.

Cite this