New Client Puzzle New Client Puzzle Outsourcing Techniques for Outsourcing Techniques for

DoS ResistanceDoS Resistance

Brent Waters, Ari Juels, J. Alex Brent Waters, Ari Juels, J. Alex Halderman and Edward W. FeltenHalderman and Edward W. Felten

MotivationMotivation

Client puzzle mechanism can become the Client puzzle mechanism can become the target of DoS attackstarget of DoS attacks Servers have to validate solutions which Servers have to validate solutions which

require resourcesrequire resources

Puzzles must be solved onlinePuzzles must be solved online User time is more important than CPU timeUser time is more important than CPU time

Properties of the Proposed SolutionProperties of the Proposed Solution

The creation of puzzles is outsourced to a The creation of puzzles is outsourced to a secure entity, the secure entity, the bastionbastion Creates puzzle with no regard to which server Creates puzzle with no regard to which server

is going to use themis going to use them

Verifying puzzle solutions is a table lookupVerifying puzzle solutions is a table lookupClients can solve puzzles offline ahead of Clients can solve puzzles offline ahead of timetimeA puzzle solution gives access to a A puzzle solution gives access to a virtual virtual channelchannel for a short time period for a short time period

Puzzle PropertiesPuzzle Properties

Unique puzzle solutionsUnique puzzle solutions Each puzzle has a unique solutionEach puzzle has a unique solution

Per-channel puzzle distributionPer-channel puzzle distribution Puzzles are unique per each Puzzles are unique per each

(server, channel, time period) triplet(server, channel, time period) triplet

Per-channel puzzle solutionPer-channel puzzle solution If a client has a solution for one channel, he If a client has a solution for one channel, he

can calculate a solution for another server can calculate a solution for another server with the same channel easilywith the same channel easily

Priv: X1

Server 1

Pub: Y1

Virtual Channels

Server 1: c,t = Y1f’(a)

c,t = gc,tX1

Server 2: c,t = Y2f’(a)

Server 3: c,t = Y3f’(a)

Priv: X2

Server 2Virtual Channels

c,t = gc,tX2

Priv: X3

Server 3Virtual Channels

c,t = gc,tX3

Pub: Y2

Pub: Y3

System DescriptionSystem Description

Solutions for puzzles are only valid for the time Solutions for puzzles are only valid for the time period period tt. (Order of minutes). (Order of minutes)

Client:Client: During TDuring Tii, download puzzles for T, download puzzles for Ti+1i+1 and solve and solve Check to see if server has a public keyCheck to see if server has a public key If so append puzzle solutions to messagesIf so append puzzle solutions to messages

Server:Server: During TDuring Tii, download and solve all puzzles for T, download and solve all puzzles for Ti+1i+1

If server is under attack only accept requests that If server is under attack only accept requests that have valid tokenshave valid tokens

Checking puzzle solution is a simple table lookupChecking puzzle solution is a simple table lookup

CommunicationCommunication

Public key: YPuzzle index: c Token: c,t

Token: c,t+1

c

Client uses option field in TCP SYN to Client uses option field in TCP SYN to relay the tokenrelay the token

Only the first 48 bits of the solution is Only the first 48 bits of the solution is usedused

The server determines the virtual The server determines the virtual channelchannel

Server limits new connection per Server limits new connection per channelchannel

Virtual Channels

Resilience Against AttacksResilience Against Attacks

2.1 GHz Pentium can process 1024-bit DH key 2.1 GHz Pentium can process 1024-bit DH key in 3.7ms.in 3.7ms.With 5% recourse it can populate tokens for With 5% recourse it can populate tokens for 16,000 virtual channels.16,000 virtual channels.If s=2, every client can solve at least one puzzle If s=2, every client can solve at least one puzzle and half of them can solve at least twoand half of them can solve at least two If attacker has 50 zombie machines, it can create If attacker has 50 zombie machines, it can create

2*50*2 = 200 puzzle solutions occupying 1.25% of the 2*50*2 = 200 puzzle solutions occupying 1.25% of the channelschannels

Probability of a benign user not getting a normal Probability of a benign user not getting a normal channel <.625%channel <.625%

ExperimentExperiment

Puzzle checking (table lookup) is Puzzle checking (table lookup) is implemented at kernel lvlimplemented at kernel lvlAfter the routing and before the packet After the routing and before the packet reaches higher level protocols like TCPreaches higher level protocols like TCPSimulate conventional puzzles by Simulate conventional puzzles by replacing the lookup code with a SHA-1 replacing the lookup code with a SHA-1 hash computationhash computationSimulate Simulate syncookiessyncookies by allowing Linux to by allowing Linux to send an ACK packet backsend an ACK packet back