u TCP SYN flooding has been deployed in the real world –Panix, mid-Sept –New York Times, late Sept –Others Similar attacks may be mounted against , SSL, etc.
Some defenses against connection depletion
Throw away requests Buffer Server Problem: Legitimate clients must keep retrying Client Hello?
Request IP Tracing (or Syncookies) Buffer Server Can be evaded, particularly on, e.g., Ethernet Does not allow for proxies, anonymity Problems: Client Hi. My name is
Digital signatures Buffer Server Requires carefully regulated PKI Does not allow for anonymity Problems: Client
Connection timeout Problem: Hard to achieve balance between security and latency demands Server Client
Our solution: client puzzles
Intuition Restauranteur Table for four at 8 oclock. Name of Mr. Smith. Please solve this puzzle. O.K., Mr. Smith O.K. ???
u A puzzle takes an hour to solve u There are 40 tables in restaurant u Reserve at most one day in advance Intuition A legitimate patron can easily reserve a table Suppose:
Intuition ??? Would-be saboteur has too many puzzles to solve
The client puzzle protocol Buffer Server Client Service request M O.K.
What does a puzzle look like?
hash image Y Puzzle basis: partial hash inversion pre-image X 160 bits ? Pair (X, Y) is k-bit-hard puzzle partial-image X ? k bits
Puzzle basis: (Contd) u Only way to solve puzzle (X,Y) is brute force method. (hash function is not invertible) u Expected number of steps (hash) to solve puzzle: 2 k / 2 = 2 k-1
Puzzle construction Client Service request M Server Secret S
Puzzle construction Server computes: secret S time T request M hash pre-image X hash image Y Puzzle
Sub-puzzle u Construct a puzzle consists of m k-bit-hard sub- puzzles. u Increase the difficulty of guessing attacks. u Expected number of steps to solve: m×2 k-1.
Why not use k+logm bit puzzles? u (k+logm)-bit puzzle –Expected number of trials m×2 k-1 u But for random guessing attacks, the successful probability –One (k+logm)-bit puzzle v 2 -(k+logm) (e.g., 2 -(k+3) ) –m k-bit subpuzzles v (2 -k ) m = 2 -km (e.g., 2 -8k )
Puzzle properties u Puzzles are stateless u Puzzles are easy to verify u Hardness of puzzles can be carefully controlled u Puzzles use standard cryptographic primitives
Client puzzle protocol (normal) M i 1 : first message of ith execution of protocol M
Client puzzle protocol (under attack) P: puzzle with m sub-puzzles t: timestamp of puzzle τ: time to receive solution T 1 : valid time of puzzle
Where to use client puzzles?
Some pros Avoids many flaws in other solutions, e.g.: u Allows for anonymous connections u Does not require PKI u Does not require retries -- even under heavy attack
Practical application u Can use client-puzzles without special- purpose software –Key idea: Applet carries puzzle + puzzle- solving code u Where can we apply this? –SSL (Secure Sockets Layer) –Web-based password authentication
u Puzzle and protocol description u Rigorous mathematical treatment of security using puzzles -- probabilistic/guessing attack Contributions of paper u Introduces idea of client puzzles for on- the-fly resource access control