On Non-Parallelizable Deterministic Client Puzzle Scheme with Batch Verification Modes

A (computational) client puzzle scheme enables a client to prove to a server that a certain amount of computing resources (CPU cycles and/or Memory look-ups) has been dedicated to solve a puzzle. Researchers have identified a number of potential applications, such as constructing timed cryptography, fighting junk emails, and protecting critical infrastructure from DoS attacks. In this paper, we first revisit this concept and formally define two properties, namely deterministic computation and parallel computation resistance. Our analysis show that both properties are crucial for the effectiveness of client puzzle schemes in most application scenarios. We prove that the RSW client puzzle scheme, which is based on the repeated squaring technique, achieves both properties. Secondly, we introduce two batch verification modes for the RSW client puzzle scheme in order to improve the verification efficiency of the server, and investigate three methods for handling errors in batch verifications. Lastly, we show that client puzzle schemes can be integrated with reputation systems to further improve the effectiveness in practice

Using rhythmic nonces for puzzle-based DoS resistance

To protect against replay attacks, many Internet proto-cols rely on nonces to guarantee freshness. In practice, the server generates these nonces during the initial hand-shake, but if the server is under attack, resources con-sumed by managing certain protocols can lead to DoS vulnerabilities. To help alleviate this problem, we pro-pose the concept of rhythmic nonces, a cryptographic tool that allows servers to measure request freshness with minimal bookkeeping costs. We explore the impact of this service in the context of a puzzle-based DoS re-sistance scheme we call “SYN puzzles”. Our preliminary results based on mathematical analysis and evaluation of a prototype suggests that our scheme is more resistant than existing techniques. 1

DDoS defense by offense

This article presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth so can react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidths, which is the intended result.National Science Foundation (U.S.) (NSF grant CNS-0225660)National Science Foundation (U.S.) (NSF grant CNS-0520241)United States. Dept. of Defense (National Security Science and Engineering Faculty Fellowship

On mitigating distributed denial of service attacks

Denial of service (DoS) attacks and distributed denial of service (DDoS) attacks are probably the most ferocious threats in the Internet, resulting in tremendous economic and social implications/impacts on our daily lives that are increasingly depending on the wellbeing of the Internet. How to mitigate these attacks effectively and efficiently has become an active research area. The critical issues here include 1) IP spoofing, i.e., forged source lIP addresses are routinely employed to conceal the identities of the attack sources and deter the efforts of detection, defense, and tracing; 2) the distributed nature, that is, hundreds or thousands of compromised hosts are orchestrated to attack the victim synchronously. Other related issues are scalability, lack of incentives to deploy a new scheme, and the effectiveness under partial deployment. This dissertation investigates and proposes effective schemes to mitigate DDoS attacks. It is comprised of three parts. The first part introduces the classification of DDoS attacks and the evaluation of previous schemes. The second part presents the proposed IP traceback scheme, namely, autonomous system-based edge marking (ASEM). ASEM enhances probabilistic packet marking (PPM) in several aspects: (1) ASEM is capable of addressing large-scale DDoS attacks efficiently; (2) ASEM is capable of handling spoofed marking from the attacker and spurious marking incurred by subverted routers, which is a unique and critical feature; (3) ASEM can significantly reduce the number of marked packets required for path reconstruction and suppress false positives as well. The third part presents the proposed DDoS defense mechanisms, including the four-color-theorem based path marking, and a comprehensive framework for DDoS defense. The salient features of the framework include (1) it is designed to tackle a wide spectrum of DDoS attacks rather than a specified one, and (2) it can differentiate malicious traffic from normal ones. The receiver-center design avoids several related issues such as scalability, and lack of incentives to deploy a new scheme. Finally, conclusions are drawn and future works are discussed

A Novel Puzzle-Based Framework for Mitigating Distributed Denial of Service Attacks Against Internet Applications

Cryptographic puzzles are promising techniques for mitigating DDoS attacks via decreasing the incoming rate of service eligible requests. However, existing cryptographic puzzle techniques have several shortcomings that make them less appealing as a tool of choice for DDoS defense. These shortcomings include: (1) the lack of accurate models for dynamically determining puzzle hardness; (2) the lack of an efficient and effective counter mechanism for puzzle solution replay attacks; and (3) the wastefulness of the puzzle computations in terms of the clients' computational resources. In this thesis, we provide a puzzle based DDoS defense framework that addresses these shortcomings. Our puzzle framework includes three novel puzzle mechanisms. The first mechanism, called Puzzle+, provides a mathematical model of per-request puzzle hardness. Through extensive experimental study, we show that this model optimizes the effectiveness of puzzle based DDoS mitigation while enabling tight control over the server utilization. In addition, Puzzle+ disables puzzle solution replay attacks by utilizing a novel cache algorithm to detect replays. The second puzzle mechanism, called Productive Puzzles, alleviates the wastefulness of computational puzzles by transforming the puzzle computations into computations of meaningful tasks that provide utility. Our third puzzle mechanism, called Guided Tour Puzzles, eliminates the wasteful puzzle computations all together, and adopts a novel delay-based puzzle construction idea. In addition, it is not affected by the disparity in the computational resources of the client machines that perform the puzzle computations. Through measurement analysis on real network testbeds as well as extensive simulation study, we show that both Productive Puzzles and Guided Tour Puzzles achieve effective mitigation of DDoS attacks while satisfying no wasteful computation requirement. Lastly, we introduce a novel queue management algorithm, called Stochastic Fair Drop Queue (SFDQ), to further strengthen the DDoS protection provided by the puzzle framework. SFDQ is not only effective against DDoS attacks at multiple layers of the protocol stack, it is also simple to configure and deploy. SFDQ is implemented over a novel data structure, called Indexed Linked List, to provide enqueue, dequeue, and remove operations with O(1) time complexity

Defending networked resources against floods of unwelcome requests

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, February 2008.Includes bibliographical references (p. 172-189).The Internet is afflicted by "unwelcome requests'" defined broadly as spurious claims on scarce resources. For example, the CPU and other resources at a server are targets of denial-of-service (DOS) attacks. Another example is spam (i.e., unsolicited bulk email); here, the resource is human attention. Absent any defense, a very small number of attackers can claim a very large fraction of the scarce resources. Traditional responses identify "bad" requests based on content (for example, spam filters analyze email text and embedded URLs). We argue that such approaches are inherently gameable because motivated attackers can make "bad" requests look "good". Instead, defenses should aim to allocate resources proportionally (so if lo% of the requesters are "bad", they should be limited to lo% of the scarce resources). To meet this goal, we present the design, implementation, analysis, and experimental evaluation of two systems. The first, speak-up, defends servers against application-level denial-of-service by encouraging all clients to automatically send more traffic. The "good" clients can thereby compete equally with the "bad" ones. Experiments with an implementation of speak-up indicate that it allocates a server's resources in rough proportion to clients' upload bandwidths, which is the intended result. The second system, DQE, controls spam with per-sender email quotas. Under DQE, senders attach stamps to emails. Receivers communicate with a well-known, untrusted enforcer to verify that stamps are fresh and to cancel stamps to prevent reuse. The enforcer is distributed over multiple hosts and is designed to tolerate arbitrary faults in these hosts, resist various attacks, and handle hundreds of billions of messages daily (two or three million stamp checks per second). Our experimental results suggest that our implementation can meet these goals with only a few thousand PCs.(cont) The enforcer occupies a novel design point: a set of hosts implement a simple storage abstraction but avoid neighbor maintenance, replica maintenance, and mutual trust. One connection between these systems is that DQE needs a DoS defense-and can use speak-up. We reflect on this connection, on why we apply speak-up to DoS and DQE to spam, and, more generally, on what problems call for which solutions.by Michael Walfish.Ph.D

Improving the resilience of cyber-physical systems under strategic adversaries

Renewable energy resources challenge traditional energy system operations by substituting the stability and predictability of fossil fuel based generation with the unreliability and uncertainty of wind and solar power. Rising demand for green energy drives grid operators to integrate sensors, smart meters, and distributed control to compensate for this uncertainty and improve the operational efficiency of the grid. Real-time negotiations enable producers and consumers to adjust power loads during shortage periods, such as an unexpected outage or weather event, and to adapt to time-varying energy needs. While such systems improve grid performance, practical implementation challenges can derail the operation of these distributed cyber-physical systems. Network disruptions introduce instability into control feedback systems, and strategic adversaries can manipulate power markets for financial gain. This dissertation analyzes the impact of these outages and adversaries on cyber-physical systems and provides methods for improving resilience, with an emphasis on distributed energy systems. First, a financial model of an interdependent energy market lays the groundwork for profit-oriented attacks and defenses, and a game theoretic strategy optimizes attack plans and defensive investments in energy systems with multiple independent actors. Then attacks and defenses are translated from a theoretical context to a real-time energy market via denial of service (DoS) outages and moving target defenses. Analysis on two market mechanisms shows how adversaries can disrupt market operation, destabilize negotiations, and extract profits by attacking network links and disrupting communication. Finally, a low-cost DoS defense technique demonstrates a method that energy systems may use to defend against attacks