Luận Văn Mitigating Network Based Denial of Service Attacks with Client Puzzles

ABSTRACT
​

Over the past few years, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks have become more of a threat than ever. These attacks are aimed at denying or degrading service for a legitimate user by any means necessary. The need to propose and research novel methods to mitigate them has become a critical research issue in network security. Recently, client puzzle protocols have received attention as a method for combating DoS and DDoS attacks. In a client puzzle protocol, the client is forced to solve a cryptographic puzzle before it can request any operation from a remote server or host. This thesis presents the framework and design of two different client puzzle protocols: Puzzle TCP and Chained Puzzles.
Puzzle TCP, or pTCP, is a modification to the Transmission Control Protocol (TCP) that supports the use of client puzzles at the transport layer and is designed to help combat various DoS attacks that target TCP. In this protocol, when a server is under attack, each client is required to solve a cryptographic puzzle before the connection can be established. This thesis presents the design and implementation of pTCP, which was embedded into the Linux kernel, and demonstrates how effective it can be at defending against specific attacks on the transport layer.
Chained Puzzles is an extension to the Internet Protocol (IP) that utilizes client puzzles to mitigate the crippling effects of a large-scale DDoS flooding attack by forcing each client to solve a cryptographic problem before allowing them to send packets into the network.
This thesis also presents the design of Chained Puzzles and verifies its effectiveness with simulation results during large-scale DDoS flooding attacks.
CONTENTS
CONTENTS v
LIST OF FIGURES vii
LIST OF TABLES .viii
CHAPTER 1 .1
1. Introduction 1
1.1. Denial-of-Service Attacks .2
1.2. An Introduction to DoS Countermeasures 5
1.2.1 Prevention 6
1.2.2 Detection 6
1.2.3 Mitigation .7
1.2.4 Traceback .7
1.3. Motivation for Researching Mitigation Techniques .9
1.4. Contributions .9
1.5. Organization of Thesis 10
CHAPTER 2 .12
2. Related Work .12
2.1. Transport Layer Attacks and Defenses .12
2.2. Network Layer Attacks and Defenses .14
2.2.1 End-Host-Based Protection Mechanisms 14
2.2.2 Network-Based Protection Mechanisms 16
2.3. Client Puzzles as a Mitigation Technique .18
2.3.1 Client Puzzles at the Transport Layer 19
2.3.2 Client Puzzles at the Application Layer .24
2.3.3 Client Puzzles at the Network Layer .25
CHAPTER 3 .28
3. TCP Client Puzzles 28
3.1. Overview of pTCP 28
v
3.2. The Client Puzzle for pTCP 31
3.3. Implementation of pTCP .33
3.3.1 Overview of the Implementation .33
3.3.2 pTCP Implementation Details 38
3.4. Experiments with pTCP 41
3.4.1 The Puzzle Algorithm 41
3.4.2 Modulation of the Puzzle Difficulty Level 43
3.4.3 Performance of pTCP during a synflood Attack .44
3.4.4 Performance of pTCP in CPU-Exhaustion Attacks .46
3.5. Deployment Scheme for pTCP .48
3.6. Shortcomings of pTCP 49
CHAPTER 4 .50
4. IP Client Puzzles 50
4.1. Technical Challenges in an IP Puzzle Scheme .50
4.2. The Client Puzzle for Chained Puzzles .51
4.3. Chained Puzzles 52
4.3.1 Overview of Chained Puzzles 52
4.3.2 The Details of Chained Puzzles .55
4.4. The Effectiveness of Chained Puzzles 59
4.5. Security Concerns of Chained Puzzles .61
4.6. Implementation Details of Chained Puzzles .64
4.7. Simulation Results 66
4.8. Deployment Scheme for Chained Puzzles 71
CHAPTER 5 .72
5. Conclusions and Future Work .72
5.1. Future Work with pTCP 73
5.2. Future Work with Chained Puzzles 74
5.3. Future Work with Client Puzzles 75
5.4. Conclusions .76
REFERENCES .77
VITA .82