Cryptographic Approaches to Denial-of-Service Resistance

  • C. Boyd
  • J. Gonzalez-Nieto
  • L. Kuppusamy
  • H. Narasimhan
  • C. Pandu Rangan
  • J. Rangasamy
  • J. Smith
  • D. Stebila
  • V. Varadarajan


Authentication is a promising way to treat denial-of-service (DoS) threats against nonpublic services because it allows servers to restrict connections only to authorised users. However, there is a catch with this argument since authentication itself is typically a computationally intensive rocess that is necessarily exposed to unauthenticated entities. This means that the authentication protocol can become a source of denial-of-service vulnerability itself, thereby causing the same problem it is aimed at solving.


Nash Equilibrium Authentication Protocol Message Authentication Code Internet Protocol Address Host Identity Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., M. Burrows, M. Manasse, and T. Wobber. 2003. Moderately hard, memory-bound functions. In the 10th Annual Network and Distributed System Security Symposium, San Diego, 6–7 Feb 2003.Google Scholar
  2. 2.
    Agah, A., and S.K. Das. 2007. Preventing dos attacks in wireless sensor networks: A repeated game theory approach. International Journal of Network Security 5(2): 145–153.Google Scholar
  3. 3.
    Aiello, W., S.M. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A.D. Keromytis, and O. Reingold. 2004. Just fast keying: Key agreement in a hostile Internet. ACM Transactions on Information and System Security 7(2): 1–30.CrossRefGoogle Scholar
  4. 4.
    Aura, T., and P. Nikander. 1997. Stateless connections. In Proceeding of the International Conference on Information and Communications Security (ICICS’97), eds. Y. Han, T. Okamoto, and S. Qing, LNCS, vol. 1334, 87–97, Beijing, China, Nov 1997. Springer.Google Scholar
  5. 5.
    Aura, T., P. Nikander, and J. Leiwo. 2000. DoS-resistant authentication with client puzzles. In Security Protocols Workshop 2000, 170–181. Cambridge, Apr 2000.Google Scholar
  6. 6.
    Aura, T., P. Nikander, and J. Leiwo. 2001. DOS-resistant authentication with client puzzles. In Revised Papers from the 8th International Workshop on Security Protocols, Lecture notes in computer science, vol. 2133, 170–177. Springer-Verlag.Google Scholar
  7. 7.
    Aura, T., and P. Nikander. 1997. Stateless connections. Technical report A46, Helsinki University of Technology, Digital Systems laboratory, Espoo, Finland.Google Scholar
  8. 8.
    Back, A. 1997.[-8pc] A partial hash collision based postage scheme. Accessed 31 Aug 2011.
  9. 9.
    Back, A. 2004. Hashcash.\#stamp_format__version_1_.. Accessed 31 Aug 2011.
  10. 10.
    Bellare, M., J. Kilian, and P. Rogaway. 2000. The security of the cipher block chaining message authentication code. Journal of Computer and System Sciences 61(3): 362–399.MathSciNetMATHCrossRefGoogle Scholar
  11. 11.
    Bellare, M., and P. Rogaway. 1994. Entity authentication and key distribution. In Proceedings of the 13th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’93, 232–249, London. Springer-Verlag.Google Scholar
  12. 12.
    Bellare, M., and P. Rogaway. 1993. Random oracles are practical: a paradigm for designing efficient protocols. In Proceedings of the 1st ACM conference on Computer and communications security, CCS ’93, 62–73, New York, 1993. ACM.Google Scholar
  13. 13.
    Bencsath, B., I. Vajda, and L. Buttyan. 2003. A game based analysis of the client puzzle approach to defend against DoS attacks. In Proceedings of the 2003 International Conference on Software, Telecommunications and Computer Networks, 763–767, 2003.Google Scholar
  14. 14.
    Canetti, R., S. Halevi, and M. Steiner. 2005. Hardness amplification of weakly verifiable puzzles, In J. Kilian (ed.), Theory of Cryptography Conference (TCC), LNCS 3378, pp. 17–33. Springer, 2005.Google Scholar
  15. 15.
    Canetti, R., and H. Krawczyk. 2002. Security analysis of IKE’s signature based key-exchange protocol. In M. Yung (ed.), Advances in Cryptology – Proc. CRYPTO, LNCS 2442, pp. 27–52. Springer, 2002.Google Scholar
  16. 16.
    Castelluccia, C., E. Mykletun, and G. Tsudik (2006). Improving secure server performance by re-balancing SSL/TLS handshakes. In ASIACCS ’06: Proceedings of the 2006 ACM Symposium on Information, Computer and Communications Security, 26–34, New York, 2006. ACM Press.Google Scholar
  17. 17.
    Chan, E., C.A. Gunter, S. Jahid, E. Peryshkin, and D. Rebolledo. 2008. Using rhythmic nonces for puzzle-based DoS resistance. In Proceedings of the 2nd ACM Workshop on Computer Security Architectures, 51–58, New York, 2008. ACM Press.Google Scholar
  18. 18.
    Chen, L., P. Morrissey, N.P. Smart, and B. Warinschi. 2009. Security notions and generic constructions for client puzzles. In M. Matsui (ed.), Advances in Cryptology – Proc. ASIACRYPT 2009, LNCS 5912, pp. 505–523. Springer, 2009.Google Scholar
  19. 19.
    Dwork, C., A. Goldberg, and M. Naor. 2003. On memory-bound functions for fighting spam. In the 23rd Annual International Cryptology Conference (CRYPTO 2003), 426–444, Aug 2003.Google Scholar
  20. 20.
    Dwork, C., and M. Naor. 1992. Pricing via processing or combatting junk mail. In the 12th Annual International Cryptology Conference on Advances in Cryptology, Lecture notes In Computer Science, vol. 740, 139–147, 1992. Springer-Verlag.Google Scholar
  21. 21.
    Dwork, C., M. Naor, and H. Wee. 2005. Pebbling and proofs of work. In CRYPTO, 37–54, 2005.Google Scholar
  22. 22.
    Fallah, M. 5555. A puzzle-based defense strategy against flooding attacks using game theory. IEEE Transactions on Dependable and Secure Computing 99(2): 5555.Google Scholar
  23. 23.
    Feng, W., E. Kaiser, W. Feng, and A. Luu. 2004. The design and implementation of network layer puzzles. Technical report 04-003, OGI CSE, Aug 2004.Google Scholar
  24. 24.
    Feng, W., E. Kaiser, and A. Luu. 2005. Design and implementation of network puzzles. In INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE, vol. 4, 2372–2382, March 2005.Google Scholar
  25. 25.
    Fudenberg, D. and E. Maskin. 1986. The folk theorem in repeated games with discounting or with incomplete information. Econometrica 54(3): 533–54.MathSciNetMATHCrossRefGoogle Scholar
  26. 26.
    Harkins, D. and D. Carrel. 1998. The internet key exchange (IKE), November 1998. Obsoleted by RFC 4306, updated by RFC 4109.Google Scholar
  27. 27.
    Jakobsson, M., and A. Juels. Proofs of work and bread pudding protocols (extended abstract). In B. Preneel (ed.), Proceedings of the IFIP TC6/TC11 Joint Working Conference on Secure Information Networks: Communications and Multimedia Security, volume 152 of IFIP Conference Proceedings, pp. 258–272. Kluwer, 1999.Google Scholar
  28. 28.
    Jakobsson, M., and A. Juels. 1999. Proofs of work and bread pudding protocols. In The IFIP TC6 and TC11 Joint Working Conference on Communications and Multimedia Security (CMS í99). Also available as
  29. 29.
    Juels, A., and J. Brainard. 1999. Client Puzzles: A cryptographic defense against connection depletion attacks. In Proceedings of the Network and Distributed System Security Symposium (NDSS ’99), 151–165, San Diego, Feb 1999. Internet Society Press, Reston.Google Scholar
  30. 30.
    Karn, P.R., and W.A. Simpson. 1999. Photuris: Session-key management protocol. RFC 2522, IETF.Google Scholar
  31. 31.
    Kaufman, C. 2005. Internet key exchange (IKEv2) protocol. RFC 4306.Google Scholar
  32. 32.
    Kennell, R., and L.H. Jamieson. 2003. Establishing the genuinity of remote computer systems. In 12th USENIX Security Symposium, 295–308, 2003.Google Scholar
  33. 33.
    Kent, S., and R. Atkinson. 1998. Security architecture for the internet protocol. Standards track RFC 2401, IETF. Accessed 31 Aug 2011.
  34. 34.
    Kent, S., and K. Seo. 2005. Security architecture for the internet protocol, December 2005.Google Scholar
  35. 35.
    Komathy, K., and P. Narayanasamy. 2008. Secure data forwarding against denial of service attack using trust based evolutionary game. In Vehicular Technology Conference, 2008. VTC Spring 2008. IEEE, 31–35, May 2008.Google Scholar
  36. 36.
    LaMacchia, B., K. Lauter, and A. Mityagin. 2007. Stronger security of authenticated key exchange. In W. Susilo, J.K. Liu, and Y. Mu (eds), First International Conference on Provable Security (ProvSec), LNCS 4784, pp. 1–16. Springer, 2007.Google Scholar
  37. 37.
    Leiwo, J., P. Nikander, and T. Aura. 2000. Towards network denial of service resistant protocols. In the 15th Annual Working Conference on Information Security (SEC2000), vol. 175, Beijing, China, Aug 2000.Google Scholar
  38. 38.
    Lemon, J. 2002. Resisting SYN flood DoS attacks with a SYN cache. In the BSDCon 2002, 89–97, Berkley, 11–14 Feb 2002.Google Scholar
  39. 39.
    Lv, J.-J. 2008. A game theoretic defending model with puzzle controller for distributed dos attack prevention. In 2008 International Conference on Machine Learning and Cybernetics, vol. 2, 1064–1069, July 2008.Google Scholar
  40. 40.
    Mahimkar, A., and V. Shmatikov. 2005. Game-based analysis of denial-of-service prevention protocols. In CSFW ’05: Proceedings of the 18th IEEE Workshop on Computer Security Foundations, 287–301, Washington, DC, 2005. IEEE Computer Society.Google Scholar
  41. 41.
    Mao, W., and K.G. Paterson. 2002. On the plausible deniability feature of Internet protocols. Manuscript. Accessed 31 Aug 2011.
  42. 42.
    Matsuura, K., and H. Imai. 2000. Modification of internet key exchange resistant against denial-of-service. In Pre-Proceeding of Internet Workshop 2000 (IWS2000), 167–174, Feb 2000.Google Scholar
  43. 43.
    Meadows, C. 1999. A formal framework and evaluation method for network denial of service. In Proc. 12th IEEE Computer Security Foundations Workshop (CSFW) 1999, 4, 1999.Google Scholar
  44. 44.
    Meadows, C. 2001. A cost-based framework for analysis of denial of service in networks. Journal of Computer Security 9(1): 143–164.Google Scholar
  45. 45.
    Menezes, A.J., P.C. van Oorschot, and S.A. Vanstone. 1997. Handbook of applied cryptography. CRC Press series on discrete mathematics and its applications. CRC Press. ISBN 0-8493-8523-7.MATHGoogle Scholar
  46. 46.
    Mirkovic, J., and P. Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Computer Communication Review 34(2): 39–53.CrossRefGoogle Scholar
  47. 47.
    Moskowitz, R., P. Nikander, P. Jokela, and T.R. Henderson. 2008. Host identity protocol, Apr 2008. RFC 5201.Google Scholar
  48. 48.
    Narasimhan, H., V. Varadarajan, and C.P. Rangan. 2009. Game theoretic resistance to denial of service attacks using hidden difficulty puzzles. Cryptology ePrint Archive, Report 2009/350. Accessed 31 Aug 2011.
  49. 49.
    Narasimhan, H., V. Varadarajan, and C.P. Rangan. 2010. Game theoretic resistance to denial of service attacks using hidden difficulty puzzles. In ISPEC, 359–376, 2010.Google Scholar
  50. 50.
    Paterson, K.G. 2006. A cryptographic tour of the IPsec standards. Cryptology ePrint Archive, Report 2006/097. Accessed 31 Aug 2011.
  51. 51.
    Price, G. 2003. A general attack model on hash-based client puzzles. In Cryptography and Coding, 9th IMA International Conference, Cirencester, UK, December 16–18, 2003, Proceedings, ed. K. Paterson, Lecture notes in computer science, 319–331, vol. 2898. Springer-Verlag.Google Scholar
  52. 52.
    Rabin, M.O. 1979. Digitalized signatures and public-key functions as intractable as factorization. Technical report MIT/LCS/TR-212, Massachusetts Institute of Technology.Google Scholar
  53. 53.
    Rivest, R.L, A. Shamir, and L. Adleman. 1978. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM 21(2): 120–126.MathSciNetMATHCrossRefGoogle Scholar
  54. 54.
    Rivest, R.L., A. Shamir, and D.A. Wagner. 1996. Time-lock puzzles and timed-release crypto. Technical report TR-684, Massachusetts Institute of Technology, Cambridge, 10 Mar 1996.Google Scholar
  55. 55.
    Sagduyu, Y.E., and A. Ephremides. 2009. A game-theoretic analysis of denial of service attacks in wireless random access. Wireless Networks 15(5): 651–666.CrossRefGoogle Scholar
  56. 56.
    Shankar, U., M. Chew, and J.D. Tygar. 2004. Side effects are not sufficient to authenticate software. In Proceedings of the Thirteenth USENIX Security Symposium, 89–102, Aug 2004. USENIX.Google Scholar
  57. 57.
    Simpson, W.A. 1999. IKE/ISAKMP considered harmful. USENIX ;login 24(6).Google Scholar
  58. 58.
    Smith, J. 2007. Denial of service: Prevention, modelling and detection. PhD thesis, Queensland University of Technology, Brisbane.Google Scholar
  59. 59.
    Smith, J., J. González Nieto, and C. Boyd. Modelling denial of service attacks on JFK with Meadows’s cost-based framework, 125–134.Google Scholar
  60. 60.
    Stebila, D., L. Kuppusamy, J. Rangasamy, C. Boyd, and J. Gonzalez-Nieto. 2011. Stronger difficulty notions for client puzzles and denial-of-service-resistant protocols. In Topics in Cryptology – CT-RSA 2011, ed. A. Kiayias Lecture notes in computer science, 284–301, vol. 6558, 2011. Springer, Berlin.Google Scholar
  61. 61.
    Stebila, D., and B. Ustaoglu. 2009. Towards denial-of-service-resilient key agreement protocols. In C. Boyd and J. González Nieto (eds), Proc. 14th Australasian Conference on Information Security and Privacy (ACISP), LNCS 5594, pp. 389–406. Springer, 2009.Google Scholar
  62. 62.
    Tritilanunt, S., C. Boyd, J. González Nieto, and E. Foo. 2007. Toward non-parallelizable cryptographic puzzles. In of 6th International Conference on Cryptology and Network Security (CANS 2007), Singapore, 8–10 December 2007.Google Scholar
  63. 63.
    Ustaoglu, B. 2008. Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS. Designs, Codes and Cryptography 46(3): 329–342.MathSciNetCrossRefGoogle Scholar
  64. 64.
    Wang, X. and M.K. Reiter. 2003. Defending against denial-of-service attacks with puzzle auctions. In Proceedings of the 2003 IEEE Symposium on Security and Privacy, 2003. IEEE Computer Society.Google Scholar
  65. 65.
    Waters, B., A. Juels, J.A. Halderman, and E.W. Felten. 2004. New client puzzle outsourcing techniques for dos resistance. In CCS ’04: Proceedings of the 11th ACM Conference on Computer and Communications Security, 246–256, New York, 2004. ACM.Google Scholar

Copyright information

© Springer India Pvt. Ltd. 2011

Authors and Affiliations

  • C. Boyd
    • 1
  • J. Gonzalez-Nieto
    • 1
  • L. Kuppusamy
    • 1
  • H. Narasimhan
    • 3
  • C. Pandu Rangan
    • 2
  • J. Rangasamy
    • 1
  • J. Smith
    • 1
  • D. Stebila
    • 1
  • V. Varadarajan
    • 3
  1. 1.Information Security InstituteQueensland University of TechnologyBrisbaneAustralia
  2. 2.Department of Computer Science and EngineeringIndian Institute of Technology MadrasChennaiIndia
  3. 3.Department of Computer Science and EngineeringCollege of Engineering Guindy, Anna UniversityChennaiIndia

Personalised recommendations