Abstract
Denial of service by server resource exhaustion has become a major security threat in open communications networks. Public-key authentication does not completely protect against the attacks because the authentication protocols often leave ways for an unauthenticated client to consume a server’s memory space and computational resources by initiating a large number of protocol runs and inducing the server to perform expensive cryptographic computations. We show how stateless authentication protocols and the client puzzles of Juels and Brainard can be used to prevent such attacks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Edward Amoroso. A policy model for denial of service. In Proc. Computer Security Foundations Workshop III, pages 110–114, Franconia, NH USA, June 1990. IEEE Computer Society Press.
Tuomas Aura and Pekka Nikander. Stateless connections. In Proc. International Conference on Information and Communications Security (ICICS’97), volume 1334 of LNCS, pages 87–97, Beijing, China, November 1997. Springer Verlag.
TCP SYN flooding and IP spoofing attack. CERT Advisory CA-96.21, CERT, November 1996.
William H. Cunningham. Optimal attack and reinforcement of a network. Journal of the ACM, 32(3):549–561, July 1985.
Cynthia Dwork and Moni Naor. Pricing via processing or combatting junk mail. In Advances in Cryptology-Proc. CRYPTO’ 98, volume 740 of LNCS, pages 139–147, Santa Barbara, CA USA, August 1992. Springer-Verlag.
Virgil D. Gligor. A note on the denial-of-service problem. In Proc. 1983 IEEE Symposium on Research in Security and Privacy, pages 139–149, Oakland, CA USA, April 1983. IEEE Computer Society.
Dan Harkins and Dave Carrel. The Internet key exchange (IKE). RFC 2409, IETF Network Working Group, November 1998.
Shouichi Hirose and Kanta Matsuura. Enhancing the resistance of a provably secure key agreement protocol to a denial-of-service attack. In Proc. 2nd International Conference on Information and Communication Security (ICICS’99), pages 169–182, Sydney, Australia, November 1999. Springer.
P. Janson, G. Tsudik, and M. Yung. Scalability and flexibility in authentication services: The KryptoKnight approach. In IEEE INFOCOM’97, Tokyo, April 1997.
Ari Juels and John Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In Proc. 1999 Network and Distributed Systems Security Symposium (NDSS), pages 151–165, San Diego, CA, February 1999. Internet Society.
Phil Karn and William A. Simpson. Photuris: Session-key management protocol. RFC 2522, IETF Network Working Group, March 1999.
Catherine Meadows. A formal framework and evaluation method for network denial of service. In Proc. 12th IEEE Computer Security Foundations Workshop, pages 4–13, Mordano, Italy, June 1999. IEEE Computer Society.
Jonathan K. Millen. A resource allocation model for denial of service. In Proc. 1992 IEEE Computer Society Symposium on Security and Privacy, pages 137–147, Oakland, CA USA, May 1992. IEEE Computer Society Press.
Cynthia A. Phillips. The network inhibition problem. In Proc. 25th Annual ACM Symposium on the Theory of Computing, pages 776–785. ACM Press, May 1993.
Christoph L. Schuba, Ivan V. Krsul, Markus G. Kuhn, Eugene H. Spaffold, Aurobindo Sundaram, and Diego Zamboni. Analysis of a denial of service attack on TCP. In Proc. 1997 IEEE Symposium on Security and Privacy, pages 208–223, Oakland, CA USA, May 1997. IEEE Computer Society Press.
William A. Simpson. IKE/ISAKMP considered harmful. ;login;, 24(6):48–58, December 1999.
Che-Fn Yu and Virgil D. Gligor. A formal specification and verification method for the prevention of denial of service. In Proc. 1988 IEEE Symposium on Security and Privacy, pages 187–202, Oakland, CA USA, April 1988. IEEE Computer Society Press.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aura, T., Nikander, P., Leiwo, J. (2001). DOS-Resistant Authentication with Client Puzzles. In: Christianson, B., Malcolm, J.A., Crispo, B., Roe, M. (eds) Security Protocols. Security Protocols 2000. Lecture Notes in Computer Science, vol 2133. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-44810-1_22
Download citation
DOI: https://doi.org/10.1007/3-540-44810-1_22
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-42566-3
Online ISBN: 978-3-540-44810-5
eBook Packages: Springer Book Archive