Efficient Trapdoor-Based Client Puzzle Against DoS Attacks
It is well known that authentication, integrity, and confidentiality are the most important principles of network security. However, recent reports about a number of prominent Internet service providers that broke down because of malicious attacks [2, 3, 32,32] urge people to realize that all security principles must be based on service availability. “Availability” in this context refers to a service that can be accessed within a reasonable amount of waiting time after a legitimate client sends a request.
KeywordsSearch Range Connection Request Modular Multiplication Discrete Logarithm Problem Modular Exponentiation
- 1.Digital signature standard (DSS). In Federal Information Processing Standards Publication 186. National Institute of Standards and Technology (NIST), 1994.Google Scholar
- 2.The New York Times, 12 September, 1996.Google Scholar
- 3.R. Aguilar, and J. Kornblum. New York Times site hacked. CNET NEWS.COM, 8 November, 1996.Google Scholar
- 4.T. Aura, P. Nikander, and J. Leiwo. Dos-resistant authentication with client puzzles. Security Protocols, 8th International Workshop, Cambridge, UK, April 3–5, 2000; revised papers, Vol. 2133 of Lecture Notes in Computer Science, pp. 170–177, Springer, 2001.Google Scholar
- 5.B. Waters, A. Juels, J. A. Halderman, and E. W. Felten. New client puzzle outsourcing techniques for dos resistance. In ACM Conference on Computer and Communications Security, pp. 246–256, 2004.Google Scholar
- 6.D. Bernstein. Syn floods - a solution. Available at http://www.op.net/jaw/syn-fix.html, 1996.
- 7.E. Brickell, and K. McCurley. An interactive identification scheme based on discrete logarithms and factoring. In Advances in Cryptology, Proceedings EUROCRYPT 90, LNCS 473, Vol. 5, pp. 23–29. Springer, 1991.Google Scholar
- 8.CNN. Cyber-attacks batter Web heavyweights. Available at http://www.cnn.com/2000/tech/computing/02/09/cyber.attacks.01/index.html, February 2002.
- 9.daN.Re:client puzzle protocol neohapsis archives. Available athttp://archives.neohapsis.com/archives/nfr-wizards/2000-q1/0645.html, 2000.
- 10.C. Davidson. The “SYN flood” gates open for WebCom. iWorld Weekly, 16 December, 1996.Google Scholar
- 11.C. Dwork, and M. Naor. Pricing via processing or combatting junk mail. In Advances in Cryptology, Proceedings CRYPTO 92, LNCS 740, pp. 139–147, Santa Barbara, CA USA, Springer, August 1992.Google Scholar
- 13.J. Elliot. Distributed denial of service attacks and the zombie ant effect. IT Professional, pp. 55–57, March 2000.Google Scholar
- 14.P. Ferguson, and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. IETF, RFC 2267, January 1998.Google Scholar
- 15.A. Juels, and J. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In S. Kent, (Ed.), Distributed Systems Security (SNDSS), pp. 151–165, 1999.Google Scholar
- 16.F. Kargl, J.Maier, and M. Weber. Protecting web servers from distributed denial of service attacks. In Proceedings of the 10th International WWW Conference, Hong Kong, May 1–5, 2001.Google Scholar
- 17.C. Kaufman, R. Perlman, and M. Speciner. Network Security: Private Communication in a Public World (2nd Edition). Prentice Hall PTR, 2002.Google Scholar
- 18.A.K. Lenstra, and H.W. Lenstra, Jr. Algorithms in number theory. In J. van Leeuwen, (Ed.), Handbook of Theoretical Computer Science, Vol. A, pp. 673–715, MIT/Elsevier, 1990.Google Scholar
- 20.A. Oldyzko. Discrete logarithms in finite fields and their cryptographic significance. In Advances in Cryptology, Proceedings EUROCRYPT 84, LNCS 209, pp. 224–314, Springer, 1984.Google Scholar
- 21.K. Park, and H. Lee. On the effectiveness of probabilistic packet marking for ip traceback under denial of service attack. IEEE INFOCOM 2001, pp. 338–347, 2001.Google Scholar
- 22.K. Park, and H. Lee. On the effectiveness of route-based packet filtering for distributed dos attack prevention in power-law internets. In Proceedings of ACM SIGCOMM’2001, August 2001.Google Scholar
- 23.K. Park, and H. Lee. Advanced packet marking mechanism with pushback for ip traceback. In ACNS04 PROGRAM - Academic Track, June 8–11, 2004.Google Scholar
- 24.M. B. Rash. client puzzle protocol. Available at http://honor.trusecure.com/pipermail/firewall-wizards/2000-february/007944.html, 2000.
- 25.L. Ricciulli, P. Lincoln, and P. Kakkar. TCP SYN flooding defense. In In Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS’99), 1999.Google Scholar
- 26.B. Schneier. Applied cryptography : protocols, algorithms, and source code in C. Wiley, 1996.Google Scholar
- 27.C. Schnorr. Efficient signature generation for smart cards. In Advances in Cryptology, Proceedings CRYPTO 89, LNCS 435, pp. 239–252, Springer, 1990.Google Scholar
- 28.L. Sherriff. Virus launches ddos for mobile phones. Available at http://www.theregister.co.uk/content/1/12394.html.
- 29.C. Wang, C. Lin, and C. Chang. Signature schemes based on two hard problems simultaneously. In the 17th International Conference on Advanced Information Networking and Applications, pp. 557–560, 2003.Google Scholar
- 30.G. Weijers. re:client puzzle protocol. Available at http://archives.neohapsis.com/archives/nfr-wizards/2000-q1/0558.html, 2000.
- 31.M. Williams. Ebay, amazon, buy.com hit by attacks. IDG News Service, 9 February 2000.Google Scholar
- 32.B. Ziegler. Hacker tangles panix Web site. Wall Street Journal, 12 September 1996.Google Scholar