Requirements for Client Puzzles to Defeat the Denial of Service and the Distributed Denial of Service Attacks

摘要

Client puzzle protocols represent a promising technique for defeating resource depletion Denial of Service (DoS) attacks. Practical implementations of client puzzle protocols not only reported positive results in achieving such a challenging goal (preventing DoS attacks), but also these implementations overcame, up to a certain degree, one of the first disadvantages of client puzzle protocols: Their interoperability with current Internet communication protocols. However, the question on whether client puzzle protocols can thwart the Distributed Denial of Service (DDoS) attacks is still under investigation. Due to the increasing number of DDoS attacks, their prevention has become very important. Based on the puzzle generation and verification processes, and focusing mainly on forestalling DDoS attacks, this paper classifies and analyzes current proposals of client puzzle protocols. The paper not only reveals and analyzes their limitations with regards to the prevention of DDoS attacks, but also outlines a general approach for addressing the identified limitations. We propose a solution based on the general principle that under attack legitimate clients should be willing to experience some degradation in their performance in order to obtain the requested service. Our proposal is based on including a puzzle-solution request  in different states of a given connection such that the computational load for solving the puzzles will be noted but the clients’ operations will not be totally interrupted.Keywords: Security attacks, distributed denial of service.Received May 12, 2005; accepted August 3, 2005Full Text