Survey on: Software Puzzle for Offsetting DoS Attack

A Denial of Service (DoS) attack is a malevolent attempt to make a server or a network resource inaccessible to users, usually by temporarily breaking or suspending the services of a host connected to the Internet. DoS attacks and Distributed DoS (DDoS) attacks attempt to deplete an online service's resource such as network bandwidth, memory and computational power by overwhelming the service with bogus requests. Thus, DoS and DDoS attacks have become a major problem for users of computer systems connected to the Internet. Many state-art of the techniques used for defending the internet from these attacks have been discussed in this paper. After conducting an exhaustive survey on these techniques it has been found that the proposed software puzzle scheme that randomly generates only after a client request is received at the server side gives better performance as compared with previous techniques

DNA-based client puzzle for WLAN association protocol against connection request flooding

In recent past, Wireless Local Area Network (WLAN) has become more popular because of its flexibility. However, WLANs are subjected to different types of vulnerabilities. To strengthen WLAN security, many high security protocols have been developed. But those solutions are found to be ineffective in preventing Denial of Service (DoS) attacks. A ‘Connection Request Flooding’ DoS (CRF-DoS) attack is launched when an access point (AP) encounters a sudden explosion of connection requests. Among other existing anti CRF-DoS methods, a client puzzle protocol has been noted as a promising and secure potential solution. Nonetheless, so far none of the proposed puzzles satisfy the security requirement of resource-limited and highly heterogeneous WLANs. The CPU disparity, imposing unbearable loads on legitimate users, inefficient puzzle generation and verification algorithms; the susceptibility of puzzle to secondary attacks on legitimate users by embedding fake puzzle parameters; and a notable delay in modifying the puzzle difficulty – these are some drawbacks of currently existing puzzles. To deal with such problems, a secure model of puzzle based on DNA and queuing theory is proposed, which eliminates the above defects while satisfying the Chen puzzle security model. The proposed puzzle (OROD puzzle) is a multifaceted technology that incorporates five main components include DoS detector, queue manager, puzzle generation, puzzle verification, and puzzle solver. To test and evaluate the security and performance, OROD puzzle is developed and implemented in real-world environment. The experimental results showed that the solution verification time of OROD puzzle is up to 289, 160, 9, 3.2, and 2.3 times faster than the Karame-Capkun puzzle, the Rivest time-lock puzzle, the Rangasamy puzzle, the Kuppusamy DLPuz puzzle, and Chen's efficient hash-based puzzle respectively. The results also showed a substantial reduction in puzzle generation time, making the OROD puzzle from 3.7 to 24 times faster than the above puzzles. Moreover, by asking to solve an easy and cost-effective puzzle in OROD puzzle, legitimate users do not suffer from resource exhaustion during puzzle solving, even when under severe DoS attack (high puzzle difficulty)

Verifiable Delay Functions

We study the problem of building a verifiable delay function (VDF). A VDF requires a specified number of sequential steps to evaluate, yet produces a unique output that can be efficiently and publicly verified. VDFs have many applications in decentralized systems, including public randomness beacons, leader election in consensus protocols, and proofs of replication. We formalize the requirements for VDFs and present new candidate constructions that are the first to achieve an exponential gap between evaluation and verification time

Quebra-Cabeças Criptográficos

TCC(graduação) - Universidade Federal de Santa Catarina. Centro Tecnológico. Sistemas de Informação.É de comum conhecimento, dentro da área de Segurança em Compu- tação, que dispomos de diferentes mecanismos para garantir que os princípios relacionados à mesma sejam garantidos. São eles: confiden- cialidade, integridade, disponibilidade e autenticidade. Um dos me- canismos conhecidos hoje chama-se Crypto Puzzle, ou Quebra-Cabeça Criptográfico. Trata-se de um problema matemático que deve ser resol- vido para obter acesso a alguma coisa, seja ela uma informação básica ou até acesso aos diferentes serviços de um servidor. A utilização de quebra-cabeças criptográficos pode reforçar diferentes aspectos de segu- rança, desde garantir confidencialidade de uma informação por deter- minado tempo, até melhorar a disponibilidade de um serviço, servindo de mecanismo de controle de requisições contra ataques de negação de serviço (conhecidos como DoS - Denial of Service). O presente trabalho pretende explorar os diferentes tipos de quebra- cabeça existentes, bem como a diferença, as vantagens e desvantagens entre eles e, baseado nas propriedades que cada um atende, irá mostrar a aplicabilidade de cada um. Além disso, este trabalho visa detalhar e implementar três abordagens diferentes de quebra-cabeças criptográfi- cos, conhecidas como Time Lock, Subset Sum e Modular Square Roots. Estas três abordagens foram selecionadas por possuírem a propriedade de não paralelização, sendo úteis em cenários onde o tempo de resolu- ção do quebra-cabeça é extremamente importante. Além de detalhar e implementar estas três abordagens, uma série de experimentos será realizada em cada uma delas. Os resultados experi- mentais encontrados nos permitirão confirmar a eficiência das aborda- gens e compreender melhor os conceitos matemáticos envolvidos. Além disso, será possível comparar uma abordagem com a outra no que diz respeito à sua complexidade, custo computacional e precisão de tempo.The information security and secrecy scenario can be explored in several ways. It is common knowledge, within the area of Computer Security, that we have different mechanisms to ensure that the principles related to it are guaranteed. These are: confidentiality, integrity, availability and authenticity. One of the mechanisms known today is called Cryp- tographic Puzzle. This is a mathematical problem that must be solved to gain access to something, be it basic information or even access to the different services of a server. The use of cryptographic puzzles can reinforce different aspects of security, from guaranteeing confidentia- lity of information for a certain time, to improving the availability of a service, serving as a mechanism to control requests against Denial of Service attacks (also known as DoS attacks). The present work intends to explore the different types of puzzle, as well as the difference, the advantages and disadvantages between them and, based on the properties that each one attends, will show the ap- plicability of each one. In addition, this work aims to implement three different approaches of cryptographic puzzles, known as Time Lock, Subset Sum and Modular Square Roots. These three approaches were selected because they have the non-parallelization property, which make them useful in scenarios where the puzzle’ solving time is extremely im- portant. In addition to detailing and implementing these three approaches, a series of experiments will be conducted on each of them. Experimental results will allow us to confirm the efficiency of the approaches and to better understand the mathematical concepts involved. In addition, it will be possible to compare one approach with the other, considering its complexity, computational cost, and time precision

A Systematic Puzzle Approach of Deploying Software For Restricting Dos & DDOS Attacks

In the network denial of service (DoS) and distributed DoS (DDoS) attacks intend to prevent legitimate clients from accessing services are considered a serious hazard to the availability and reliability of the internet services. For example, server receives huge number of junk request from malicious client. For each request, server has to waste extra CPU time for completing process of SSL handshakes .Server cannot handle requests of services from its true customers because it may not have enough resources to handle the request. As a result of this attack is vanished businesses and reputation lost. Represented an advance mechanism that refers as the software puzzle, the aim of this mechanism is to prevent DoS or DDoS attacks and provide services to valid clients. The idea is quite simple. When a client wants to acquire a service from the server, client sends a simple request to the server. After getting the client request, the server sends one puzzle challenge to client. Client must first solve a complex structure puzzle correctly and submit it to the server for accessing services. Server verifies this puzzle solution, if it is correct then server agrees to establish connection with client. To solve this puzzle by every client, prevent vulnerable connection. A software puzzle is different kinds of methods or complex structure or problem which uses sequence of steps and solving these steps client can access resources. Timestamp, data length, key length and software puzzle complexity these attributes are used for security purpose in puzzle generation process and generates puzzle dynamically. I have used the SPEKE algorithm for key generation; it provides high level security and thwarts man-in-middle attack by password. Implement the RC7 algorithm for encryption purpose. It provides best result in case of throughput and time consumption and provides high level security

Powerful Mechanism To Avoid Denial Of Service Attack For Providing Data Security Using Software Puzzle

Network is a gathering of hubs that interrelate with each other for switch over the data. This data is vital for that hub is saved secretly. Attacker in the framework may catch this private data and twisted. So security is the real issue. There are a few security Attacks in network. One of the real scares to web analyze is DDoS Attack. It is a vindictive push to suspending or suspends administrations to destination hub. – Denial of administrations (DOS) and Distributed Denial of administrations (DDoS) are the significant issue against network security and digital security that permit a customer to perform exceptionally costly and key operations, before the network administrations are given to the regarded customer. However An Attacker might have the capacity to control the DOS and DDOS or implicit illustrations preparing Unit (GPU) and have the capacity to crush customer perplexes. In this paper we concentrate how to safeguard DOS and DDOS Attacker for being controlling the puzzlesolving strategies. So now we present another customer riddle alluded to as Software Puzzle. It is not at all like past riddle, which produce their riddle calculations ahead of time, a riddle calculation in the present programming riddle plans is haphazardly created simply after a customer solicitation is gotten from the server side. t the Denial-of-administration and disseminated DoS Attack a customer riddle strategy is actualized. Keeping in mind the end goal to avert further Attack in network and to improve the security the solicitation that is given by the customer and the document sent by the server to customer is in scrambled structure. One downside of existing framework is if the assailant distinguishes the port, he can barge in or meddle in the correspondence and surge DOS Attack and can hack conveying information. The strategy utilized is clarified as takes after. To start with the customer needs to explain a riddle produced by the server. At that point the customer checks the inactivity of the document that must be gotten to from server database. The customer can test the inactivity of the server by inputting the comparing server IP address, number of bundles, and the length of information in bytes. In the wake of handling the inactivity checking parameters, ping measurements of the server and the rough round excursion the reality of the situation will become obvious eventually shown in the outcome. The customer then encodes the solicitation and sends the solicitation to server. AES Algorithm is utilized to play out the encryption and decoding. The server after getting the solicitation needs to unscramble the solicitation utilizing the customer port number and IP address. The server sends the asked for record by encoding the document. At last the customer gets the record, unscrambles the substance and read it. Subsequently it can be inferred that more solid correspondence can be performed amongst server and customers and dynamic interchanges stays unaffected even within the sight of DDoS Attacks

Publicly Verifiable Proofs of Sequential Work

We construct a publicly verifiable protocol for proving computational work based on collision-resistant hash functions and a new plausible complexity assumption regarding the existence of inherently sequential hash functions. Our protocol is based on a novel construction of time-lock puzzles. Given a sampled puzzle $P \gets D_n$, where $n$ is the security parameter and $D_n$ is the distribution of the puzzles, a corresponding solution can be generated using $N$ evaluations of the sequential hash function, where $N>n$ is another parameter, while any feasible adversarial strategy for generating valid solutions must take at least as much time as $\Omega(N)$ *sequential* evaluations of the hash function after receiving $P$. Thus, valid solutions constitute a proof that $\Omega(N)$ parallel time elapsed since $P$ was received. Solutions can be publicly and efficiently verified in time \poly(n) \cdot \polylog(N). Applications of these time-lock puzzles include noninteractive timestamping of documents (when the distribution over the possible documents corresponds to the puzzle distribution $D_n$) and universally verifiable CPU benchmarks. Our construction is secure in the standard model under complexity assumptions (collision-resistant hash functions and inherently sequential hash functions), and makes black-box use of the underlying primitives. Consequently, the corresponding construction in the random oracle model is secure unconditionally. Moreover, as it is a public-coin protocol, it can be made non-interactive in the random oracle model using the Fiat-Shamir Heuristic. Our construction makes a novel use of ``depth-robust\u27\u27 directed acyclic graphs---ones whose depth remains large even after removing a constant fraction of vertices---which were previously studied for the purpose of complexity lower bounds. The construction bypasses a recent negative result of Mahmoody, Moran, and Vadhan (CRYPTO `11) for time-lock puzzles in the random oracle model, which showed that it is impossible to have time-lock puzzles like ours in the random oracle model if the puzzle generator also computes a solution together with the puzzle

Moderately Hard Functions: Definition, Instantiations, and Applications

Several cryptographic schemes and applications are based on functions that are both reasonably efficient to compute and moderately hard to invert, including client puzzles for Denial-of-Service protection, password protection via salted hashes, or recent proof-of-work blockchain systems. Despite their wide use, a definition of this concept has not yet been distilled and formalized explicitly. Instead, either the applications are proven directly based on the assumptions underlying the function, or some property of the function is proven, but the security of the application is argued only informally. The goal of this work is to provide a (universal) definition that decouples the efforts of designing new moderately hard functions and of building protocols based on them, serving as an interface between the two. On a technical level, beyond the mentioned definitions, we instantiate the model for four different notions of hardness. We extend the work of Alwen and Serbinenko (STOC 2015) by providing a general tool for proving security for the first notion of memory-hard functions that allows for provably secure applications. The tool allows us to recover all of the graph-theoretic techniques developed for proving security under the older, non-composable, notion of security used by Alwen and Serbinenko. As an application of our definition of moderately hard functions, we prove the security of two different schemes for proofs of effort (PoE). We also formalize and instantiate the concept of a non-interactive proof of effort (niPoE), in which the proof is not bound to a particular communication context but rather any bit-string chosen by the prover

Mitigating Botnet-based DDoS Attacks against Web Servers

Distributed denial-of-service (DDoS) attacks have become wide-spread on the Internet. They continuously target retail merchants, financial companies and government institutions, disrupting the availability of their online resources and causing millions of dollars of financial losses. Software vulnerabilities and proliferation of malware have helped create a class of application-level DDoS attacks using networks of compromised hosts (botnets). In a botnet-based DDoS attack, an attacker orders large numbers of bots to send seemingly regular HTTP and HTTPS requests to a web server, so as to deplete the server's CPU, disk, or memory capacity. Researchers have proposed client authentication mechanisms, such as CAPTCHA puzzles, to distinguish bot traffic from legitimate client activity and discard bot-originated packets. However, CAPTCHA authentication is vulnerable to denial-of-service and artificial intelligence attacks. This dissertation proposes that clients instead use hardware tokens to authenticate in a federated authentication environment. The federated authentication solution must resist both man-in-the-middle and denial-of-service attacks. The proposed system architecture uses the Kerberos protocol to satisfy both requirements. This work proposes novel extensions to Kerberos to make it more suitable for generic web authentication. A server could verify client credentials and blacklist repeated offenders. Traffic from blacklisted clients, however, still traverses the server's network stack and consumes server resources. This work proposes Sentinel, a dedicated front-end network device that intercepts server-bound traffic, verifies authentication credentials and filters blacklisted traffic before it reaches the server. Using a front-end device also allows transparently deploying hardware acceleration using network co-processors. Network co-processors can discard blacklisted traffic at the hardware level before it wastes front-end host resources. We implement the proposed system architecture by integrating existing software applications and libraries. We validate the system implementation by evaluating its performance under DDoS attacks consisting of floods of HTTP and HTTPS requests