New Client Puzzle Outsourcing Techniques for DoS Resistance

Brent Waters, Stanford UniversityAri Juels, RSA Laboratories

Alex Halderman, Princeton UniversityEd Felten, Princeton University

Client Puzzles

• DoS attack the attackers consume resources quickly

• May not be enough resources left for a regular client

ServerAttackers

User

Request

Request

Request

Request

Request

Request

Client Puzzles

• Client puzzles slow down an attacker by making him solve a moderately hard challenge before granting a resource• Typically, partially invert a hash function

ServerAttackers

User

Request

y,z

x, where H(x|y)=z

Request

y’,z’

x’, where H(x|y)=z

Client Puzzles

Client Puzzles can potentially be used to protect many different kinds of resources– Email SPAM [DN’92]– TCP SYN buffers [JB’99]– CPU on SSL connections [JB’99, DS’02] – Database Queries

• Resource intensive queries• DRM?

– IP packets

Shortcomings of Client Puzzles

1) Puzzle-solving delay after user request

– User must wait for his machine to solve puzzle

– Is this a problem? [JB’99] show 1s delay for TCP syn buffer…

– However, they do their analysis under 20 attackers

– Lesson: Delay depends upon number of attackers and scarcity of resource

Shortcomings of Client Puzzles

2) Server hash computation per submitted solution– Hash overhead ~1us computation time

– Typically small relative to resource given

– Attack by flooding server with incorrect solutions

– Impractical if protecting a low level service such as IP layer

Our Solution

• Outsource puzzle creation– Puzzles created are independent of client or server using

them

• Solve for access to “channels” on servers– Assume internal routing structure is resistant to

eavesdropping

• Bastion service distributes puzzles– Global Service– Bastion operation is independent of servers and clients using it Scalability

Outsourcing Puzzles

1

2

N

Outsourcing Puzzles

• Since puzzles are independent of bastion can use robust systems to distribute puzzles

• Leverage point

1

2

N

Solving for Channels

• Client solves for a random channel• Next time period uses solved channel as solution• Solution can be transformed to work on any server

Time

1

2

N

507

Solving for Channels

• Client solves for a random channel• Next time period uses solved channel as solution• Solution can be transformed to work on any server

Time

507

507

Solving for Channels

• Client solves for a random channel• Next time period uses solved channel as solution• Solution can be transformed to work on any server

Time

507

Server A

Server B

507

507

PKA

PKB

507

1

1

507check

check

Attackers and Channels

• Attacker can only get resources allotted to channels he has solved puzzles for

Server A

507507PKA

PKA

Attackers

157678

157678

157

678

507

Puzzle Construction

• N Channels• P(x,d): Puzzle hiding x of difficulty d• H : Hash function• xi : Randomly chosen each iteration

1

2

N

Xi=gxi mod p, P(xi,d)

Puzzle for channel i Public Key of Server A

Y=ga

H(gaxi) Token for channel i on server A

Client and Server Operation

Client

Solve puzzle for period j+1• Pick random channel• Solve puzzle for channel

Server

Compute all N tokens for period j+1

• Public key = ga

• For all Xi=gxi compute Xia =gaxi

Time

j-1 j j+1

Use solution computed during period j-1•Have solution xi for channel i•For server with public key Y=ga compute Yxi =gaxi as token for channel i

•Use tokens computed during

period j-1

•Request on channel i, do a quick comparison on token list

•Keep track of resources granted per channel

Key Points

• User does not wait for puzzle to be solved

• Bytestring comparison per claimed solution

• Primary bottleneck is # of channels the server computes tokens for (exponentiations) – Will improve as processor speeds increase– Can give out Xi before Puz(xi,d)

An Example

Time cycles of 20 minutesN=20,000 channels~5% of a high end server’s computing timeSet puzzle difficulty so typical machine can have 2

solutions

1,000 attackers with 1,000 solutions; 1/10 of channels

Regular user has 2 random channels each 10% chance of being occupied by adversary 1% that both are occupied

Prototype ImplementationRate limits number of new TCP connectionsAfter SYN packet must wait n seconds before another on channel

HTTP Server

to simulate Bastion

167 298SYN

Sends two previously computed tokens

48 48

Flooding Attack Experiment

Attacker submits several false solutions

Comparison to Traditional Client PuzzlesOur Approach• Proactive approach; solves

puzzles in preparation– Uses resources when not

under attack (server & client)

• Solution is ready immediately for user request

• Bitstring comparison per claimed solution– IP layer

Traditional Client Puzzles• Enter client puzzle

operation in reaction to an attack

•User waits for client to solve

•Hash computation per claimed solution

Comparison to Traditional Client PuzzlesOur Approach• Use solutions at multiple

protocols (e.g. TCP, SSL, Database queries)

• Number of channels available should increase as servers can do PK operations faster

Traditional Client Puzzles• Unclear how should

manage protecting multiple protocols

Extensions

• Identity-Based server public keys

• More flexible number of channels per server

• Random Beacon for Bastion– Loose universal puzzle property

• More efficient PK crypto– Smaller key sizes (key life is shorter)

Conclusions

• Propose a new client puzzle outsourcing technique for protecting against DoS attacks

• Trade off extra average case effort in exchange for low-user delay and efficient solution verification