• DocumentCode
    1827412
  • Title

    Design and implementation of network puzzles

  • Author

    Feng, Wenjie ; Kaiser, E. ; Feng, Wenjie ; Luu, A.

  • Author_Institution
    Portland State Univ., OR, USA
  • Volume
    4
  • fYear
    2005
  • fDate
    13-17 March 2005
  • Firstpage
    2372
  • Abstract
    Client puzzles have been proposed in a number of protocols as a mechanism for mitigating the effects of distributed denial of service (DDoS) attacks. In order to provide protection against simultaneous attacks across a wide range of applications and protocols, however, such puzzles must be placed at a layer common to all of them; the network layer. Placing puzzles at the IP layer fundamentally changes the service paradigm of the Internet, allowing any device within the network to push load back onto those it is servicing. An advantage of network layer puzzles over previous puzzle mechanisms is that they can be applied to all traffic from malicious clients, making it possible to defend against arbitrary attacks as well as making previously voluntary mechanisms mandatory. In this paper, we outline goals which must be met for puzzles to be deployed effectively at the network layer. We then describe the design, implementation, and evaluation of a system that meets these goals by supporting efficient, fine-grained control of puzzles at the network layer. In particular, we describe modifications to existing puzzle protocols that allow them to work at the network layer, a hint-based hash-reversal puzzle that allows for the generation and verification of fine-grained puzzles at line speed in the fast path of high-speed routers, and an iptables implementation that supports transparent deployment at arbitrary locations in the network.
  • Keywords
    IP networks; Internet; cryptography; routing protocols; telecommunication traffic; DDoS; IP layer; Internet; arbitrary location; client puzzles; distributed denial of service attack; fine-grained puzzle; high-speed routers; hint-based hash-reversal puzzle; network layer; network traffic; protocols; Communication system traffic control; Computer crime; Control systems; Filtering; IP networks; Protection; Protocols; Telecommunication traffic; Viruses (medical); Web and internet services;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE
  • ISSN
    0743-166X
  • Print_ISBN
    0-7803-8968-9
  • Type

    conf

  • DOI
    10.1109/INFCOM.2005.1498523
  • Filename
    1498523