New Client Puzzle Outsourcing Techniques for DoS Resistance - PowerPoint PPT Presentation

About This Presentation
Title:

New Client Puzzle Outsourcing Techniques for DoS Resistance

Description:

Client Puzzles. DoS attack the attackers consume ... get resources allotted to channels he has solved puzzles for. Server A ... solves puzzles in preparation ... – PowerPoint PPT presentation

Number of Views:107
Avg rating:3.0/5.0
Slides: 25
Provided by: csUt8
Category:

less

Transcript and Presenter's Notes

Title: New Client Puzzle Outsourcing Techniques for DoS Resistance


1
New Client Puzzle Outsourcing Techniques for DoS
Resistance
  • Brent Waters, Stanford University
  • Ari Juels, RSA Laboratories
  • Alex Halderman, Princeton University
  • Ed Felten, Princeton University

2
Client Puzzles
  • DoS attack the attackers consume resources
    quickly
  • May not be enough resources left for a regular
    client

Server
Attackers
User
3
Client Puzzles
  • Client puzzles slow down an attacker by making
    him solve
  • a moderately hard challenge before granting
    a resource
  • Typically, partially invert a hash function

Server
Attackers
User
4
Client Puzzles
  • Client Puzzles can potentially be used to protect
    many different kinds of resources
  • Email SPAM DN92
  • TCP SYN buffers JB99
  • CPU on SSL connections JB99, DS02
  • Database Queries
  • Resource intensive queries
  • DRM?
  • IP packets

5
Shortcomings of Client Puzzles
  • Puzzle-solving delay after user request
  • User must wait for his machine to solve puzzle
  • Is this a problem? JB99 show 1s delay for TCP
    syn buffer
  • However, they do their analysis under 20
    attackers
  • Lesson Delay depends upon number of attackers
    and scarcity of resource

6
Shortcomings of Client Puzzles
  • 2) Server hash computation per submitted solution
  • Hash overhead 1us computation time
  • Typically small relative to resource given
  • Attack by flooding server with incorrect
    solutions
  • Impractical if protecting a low level service
    such as IP layer

7
Our Solution
  • Outsource puzzle creation
  • Puzzles created are independent of client or
    server using them
  • Solve for access to channels on servers
  • Assume internal routing structure is resistant to
    eavesdropping

8
Outsourcing Puzzles
  • Bastion service distributes puzzles
  • Global Service
  • Bastion operation is independent of servers
  • and clients using it
  • ? Scalability

9
Outsourcing Puzzles
  • Since puzzles are independent of bastion can use
    robust systems to distribute puzzles
  • Leverage point

10
Solving for Channels
  • Client solves for a random channel
  • Next time period uses solved channel as solution
  • Solution can be transformed to work on any server

11
Solving for Channels
  • Client solves for a random channel
  • Next time period uses solved channel as solution
  • Solution can be transformed to work on any server

12
Solving for Channels
  • Client solves for a random channel
  • Next time period uses solved channel as solution
  • Solution can be transformed to work on any server

Server A
Server B
13
Attackers and Channels
  • Attacker can only get resources allotted to
    channels he has solved puzzles for

Attackers
Server A
PKA
14
Puzzle Construction
  • N Channels
  • P(x,d) Puzzle hiding x of difficulty d
  • H Hash function
  • xi Randomly chosen each iteration

15
Client and Server Operation
  • Server
  • Compute all N tokens for period j1
  • Public key ga
  • For all Xigxi compute Xia gaxi
  • Client
  • Solve puzzle for period j1
  • Pick random channel
  • Solve puzzle for channel
  • Use solution computed during
  • period j-1
  • Have solution xi for channel i
  • For server with public key Yga compute Yxi gaxi
    as token for channel i
  • Use tokens computed during
  • period j-1
  • Request on channel i, do a quick comparison on
    token list
  • Keep track of resources granted per channel

16
Key Points
  • User does not wait for puzzle to be solved
  • Bytestring comparison per claimed solution
  • Primary bottleneck is of channels the server
    computes tokens for (exponentiations)
  • Will improve as processor speeds increase
  • Can give out Xi before Puz(xi,d)

17
An Example
  • Time cycles of 20 minutes
  • N20,000 channels
  • 5 of a high end servers computing time
  • Set puzzle difficulty so typical machine can have
    2 solutions
  • 1,000 attackers with 1,000 solutions
  • ? 1/10 of channels
  • Regular user has 2 random channels each 10
    chance of being occupied by adversary ? 1 that
    both are occupied

18
Prototype Implementation
  • Rate limits number of new TCP connections
  • After SYN packet must wait n seconds before
    another on channel

Sends two previously computed tokens
HTTP Server to simulate Bastion
19
Flooding Attack Experiment
  • Attacker submits several false solutions

20
Comparison to Traditional Client Puzzles
  • Our Approach
  • Proactive approach solves puzzles in preparation
  • Uses resources when not under attack (server
    client)
  • Solution is ready immediately for user request
  • Bitstring comparison per claimed solution
  • IP layer
  • Traditional Client Puzzles
  • Enter client puzzle operation in reaction to an
    attack
  • User waits for client to solve
  • Hash computation per claimed solution

21
Comparison to Traditional Client Puzzles
  • Our Approach
  • Use solutions at multiple protocols (e.g. TCP,
    SSL, Database queries)
  • Number of channels available should increase as
    servers can do PK operations faster
  • Traditional Client Puzzles
  • Unclear how should manage protecting multiple
    protocols

22
Extensions
  • Identity-Based server public keys
  • More flexible number of channels per server
  • Random Beacon for Bastion
  • Loose universal puzzle property
  • More efficient PK crypto
  • Smaller key sizes (key life is shorter)

23
Conclusions
  • Propose a new client puzzle outsourcing technique
    for protecting against DoS attacks
  • Trade off extra average case effort in exchange
    for low-user delay and efficient solution
    verification

24
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com