Resisting Denial of Service Attacks by Puzzle Outsourcing

Опубликовано 6 сентября 2016, 5:09

One proposed approach to deter denial of service attacks is to require clients to solve computational puzzles before connecting to a server. Unfortunately, standard puzzle schemes impose a higher cost on legitimate clients than on attackers, because legitimate clients must often solve puzzles online while users are waiting, but attackers can solve puzzles offline using hijacked machines. We propose a new type of puzzle scheme that lowers costs for servers and for legitimate clients (but not for attackers). Our scheme outsources puzzle creation to a robust external service that we call a bastion. Many servers can rely on puzzles distributed by a single bastion, and a bastion need not know which servers rely on its services. Our outsourcing technique helps to eliminate puzzle distribution as a point of compromise. Our design has three main advantages over prior approaches. First, it is more resistant to DoS attacks aimed at the puzzle mechanism itself, withstanding over 80 more attack traffic than previous methods in our experiments. Second, our scheme is cheap enough to apply at the IP packet level, though it can be used at any level of the protocol stack. Third, our scheme allows clients to solve puzzles offline, thereby reducing the need for users to wait while their computers solve puzzles. [Joint work with Brent Waters, Ari Juels, and Alex Halderman.]