Centralized prevention of denial of service attacks

The world has come to depend on the Internet at an increasing rate for communication, e-commerce, and many other essential services. As such, the Internet has become an integral part of the workings of society at large. This has lead to an increased vulnerability to remotely controlled disruption of vital commercial and government operations---with obvious implications. This disruption can be caused by an attack on one or more specific networks which will deny service to legitimate users or an attack on the Internet itself by creating large amounts of spurious traffic (which will deny services to many or all networks). Individual organizations can take steps to protect themselves but this does not solve the problem of an Internet wide attack. This thesis focuses on an analysis of the different types of Denial of Service attacks and suggests an approach to prevent both categories by centralized detection and limitation of excessive packet flows

On Non-Parallelizable Deterministic Client Puzzle Scheme with Batch Verification Modes

A (computational) client puzzle scheme enables a client to prove to a server that a certain amount of computing resources (CPU cycles and/or Memory look-ups) has been dedicated to solve a puzzle. Researchers have identified a number of potential applications, such as constructing timed cryptography, fighting junk emails, and protecting critical infrastructure from DoS attacks. In this paper, we first revisit this concept and formally define two properties, namely deterministic computation and parallel computation resistance. Our analysis show that both properties are crucial for the effectiveness of client puzzle schemes in most application scenarios. We prove that the RSW client puzzle scheme, which is based on the repeated squaring technique, achieves both properties. Secondly, we introduce two batch verification modes for the RSW client puzzle scheme in order to improve the verification efficiency of the server, and investigate three methods for handling errors in batch verifications. Lastly, we show that client puzzle schemes can be integrated with reputation systems to further improve the effectiveness in practice

Efficient trapdoor-based client puzzle system against DoS attacks

Denial of service (DoS) and distributed denial of service (DDoS) are serious threats to computer networks. DoS and DDoS attacks aim to shut down a target server by depleting its resources and rendering it incapable of offering stable and integrated service to legitimate clients. Preventing DoS and DDoS attacks is a difficult task. A promising countermeasure against DoS attacks is the Client Puzzle method, which nevertheless faces a number of challenges, such as the complexity of puzzle construction and solution verification. Our research focuses on exploring novel puzzle constructions to satisfy the high demands of DoS defence in practice. In this thesis, we first identify the underlying weaknesses of existing client puzzles. To mitigate these vulnerabilities, we recommend the necessary requirements for good client puzzles. Based on this, we propose a new model for puzzle distribution, called the Trapdoor-based Client Puzzle System (TCPS). Two specific schemes are presented to construct puzzles within TCPS. We depict these two schemes, where each trapdoor algorithm is applied respectively. Both schemes have two distinct features: the computational overheads are low, and the difficulty level of puzzles is measurable. Moreover, both puzzle schemes are provably secure under traditional hard problems in mathematics. Our contribution to client puzzle defence against DoS attacks can be summarised as follows: * Identify the shortcomings of existing client puzzles. * Recommend the requirements of good client puzzles. * Formally define the Trapdoor-based Client Puzzle System, along with strict security conditions. * Propose a client puzzle scheme whose security is based on the RSA Assumption. Effectiveness and security are analysed and proven. * Propose a second client puzzle scheme whose security is based on the Discrete Logarithm Problem (DLP). Similarly, effectiveness and security are also analysed. * Provide a possible configuration for system parameters. * Discuss further possible attacks and their solutions. As our research is carried out in DoS attack scenarios, we also introduce this technical background before our achievements are presented

Pengembangan Pencegahan Serangan Distributed Denial of Service (Ddos) Pada Sumber Daya Jaringan Dengan Integrasi Network Behavior Analysis Dan Client Puzzle

Denial of Service (DoS) merupakan permasalahan keamanan jaringan yang sampai saat ini terus berkembang secara dinamis. Semakin tinggi kemampuan komputasi suatu komputer penyerang, serangan DoS yang dapat dihasilkan juga semakin membahayakan. Serangan ini dapat mengakibatkan ketidakmampuan server untuk melayani service request yang sah. Karena itu serangan DoS sangat merugikan dan perlu diberikan pencegahan yang efektif. Ancaman berikutnya yang juga sangat membahayakan adalah Distributed Denial of Service (DDoS), dimana serangan ini memanfaatkan sejumlah besar komputer untuk menjalankan serangan DoS kepada server, web service, atau sumber daya jaringan lain. Mengingat resiko besar yang diakibatkan serangan DDoS ini, banyak peneliti yang terdorong untuk merancang mekanisme penga-manan sumber daya jaringan. Pada penelitian ini, penulis mengkhususkan pokok permasalahan pada pengamanan web service. Penulis mengemuka-kan sebuah mekanisme untuk mengamankan web service dengan cara melakukan filtrasi dan validasi permintaan yang diterima untuk mengakses sumber daya jaringan. Filtrasi dan validasi ini dilakukan dengan gabungan metode Network Behavior Analysis (NBA) dan Client Puzzle (CP). Metode NBA menjadi lapisan pertahanan pertama untuk mendeteksi apakah sedang terjadi serangan DDoS dengan mengukur tingkat kepadatan jaringan/Network density. Dari metode NBA, didapatkan IP Address yang perlu divalidasi dengan metode CP sebagai lapisan pertahanan kedua. Apabila suatu service request sudah berhasil melewati proses filtrasi dan validasi ini, maka service request ini baru akan dilayani. Dari hasil percobaan, terbukti metode ini dapat mendeteksi serangan DDoS sekaligus menjamin bahwa service request yang sah mendapat pelayanan yang seharusnya sehingga server dapat melayani service request dengan baik

Analysis of the Client Puzzles protocol

Abstract This paper covers a certain proof of work protocol known as the client puzzles. The client puzzles is placed upon the protocol it is supposed to protect and is specifically designed to protect against connection depletion attacks. Our study is to determine how well the client puzzles protocol prevents connection depletion attacks and how it affects other parts of the system. To do this we choose to implement our own version of the client puzzles protocol and to see how it performs as well as read up on what other people has learned about its strengths and flaws. After implementing and trying with different sized puzzles we could determine that the client puzzles actually could provide some protection against connection depletion attacks though it also became clear that the protocol has some other issues. These flaws include increased vulnerability to distributed denial of service attacks by solving large amounts of puzzles on the clients, denial of service attacks by just requesting puzzles without solving them. Our conclusion of the client puzzles protocol is that while the protocol could solve the security issue it is supposed to, it provides with even more new problems. That combined with the fact that it needs software on all clients makes it a quite bad solution

Mitigating Botnet-based DDoS Attacks against Web Servers

Distributed denial-of-service (DDoS) attacks have become wide-spread on the Internet. They continuously target retail merchants, financial companies and government institutions, disrupting the availability of their online resources and causing millions of dollars of financial losses. Software vulnerabilities and proliferation of malware have helped create a class of application-level DDoS attacks using networks of compromised hosts (botnets). In a botnet-based DDoS attack, an attacker orders large numbers of bots to send seemingly regular HTTP and HTTPS requests to a web server, so as to deplete the server's CPU, disk, or memory capacity. Researchers have proposed client authentication mechanisms, such as CAPTCHA puzzles, to distinguish bot traffic from legitimate client activity and discard bot-originated packets. However, CAPTCHA authentication is vulnerable to denial-of-service and artificial intelligence attacks. This dissertation proposes that clients instead use hardware tokens to authenticate in a federated authentication environment. The federated authentication solution must resist both man-in-the-middle and denial-of-service attacks. The proposed system architecture uses the Kerberos protocol to satisfy both requirements. This work proposes novel extensions to Kerberos to make it more suitable for generic web authentication. A server could verify client credentials and blacklist repeated offenders. Traffic from blacklisted clients, however, still traverses the server's network stack and consumes server resources. This work proposes Sentinel, a dedicated front-end network device that intercepts server-bound traffic, verifies authentication credentials and filters blacklisted traffic before it reaches the server. Using a front-end device also allows transparently deploying hardware acceleration using network co-processors. Network co-processors can discard blacklisted traffic at the hardware level before it wastes front-end host resources. We implement the proposed system architecture by integrating existing software applications and libraries. We validate the system implementation by evaluating its performance under DDoS attacks consisting of floods of HTTP and HTTPS requests

Mitigating Distributed Denial of Service Attacks in an Anonymous Routing Environment: Client Puzzles and Tor

Online intelligence operations use the Internet to gather information on the activities of U.S. adversaries. The security of these operations is paramount, and one way to avoid being linked to the Department of Defense (DoD) is to use anonymous communication systems. One such system, Tor, makes interactive TCP services anonymous. Tor uses the Transport Layer Security (TLS) protocol and is thus vulnerable to a distributed denial-of-service (DDoS) attack that can significantly delay data traversing the Tor network. This research uses client puzzles to mitigate TLS DDoS attacks. A novel puzzle protocol, the Memoryless Puzzle Protocol (MPP), is conceived, implemented, and analyzed for anonymity and DDoS vulnerabilities. Consequently, four new secondary DDoS and anonymity attacks are identified and defenses are proposed. Furthermore, analysis of the MPP identified and resolved two important shortcomings of the generalized client puzzle technique. Attacks that normally induce victim CPU utilization rates of 80-100% are reduced to below 70%. Also, the puzzle implementation allows for user-data latency to be reduced by close to 50% during a large-scale attack .Finally, experimental results show successful mitigation can occur without sending a puzzle to every requesting client. By adjusting the maximum puzzle strength, CPU utilization can be capped at 70% even when an arbitrary client has only a 30% chance of receiving a puzzle

DDoS defense by offense

This article presents the design, implementation, analysis, and experimental evaluation of speak-up, a defense against application-level distributed denial-of-service (DDoS), in which attackers cripple a server by sending legitimate-looking requests that consume computational resources (e.g., CPU cycles, disk). With speak-up, a victimized server encourages all clients, resources permitting, to automatically send higher volumes of traffic. We suppose that attackers are already using most of their upload bandwidth so cannot react to the encouragement. Good clients, however, have spare upload bandwidth so can react to the encouragement with drastically higher volumes of traffic. The intended outcome of this traffic inflation is that the good clients crowd out the bad ones, thereby capturing a much larger fraction of the server's resources than before. We experiment under various conditions and find that speak-up causes the server to spend resources on a group of clients in rough proportion to their aggregate upload bandwidths, which is the intended result.National Science Foundation (U.S.) (NSF grant CNS-0225660)National Science Foundation (U.S.) (NSF grant CNS-0520241)United States. Dept. of Defense (National Security Science and Engineering Faculty Fellowship