Abstract
In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.
Original language | English (US) |
---|---|
Title of host publication | Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Pages | 617-629 |
Number of pages | 13 |
ISBN (Electronic) | 9781728100562 |
DOIs | |
State | Published - Jun 2019 |
Event | 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 - Portland, United States Duration: Jun 24 2019 → Jun 27 2019 |
Publication series
Name | Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 |
---|
Conference
Conference | 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 |
---|---|
Country | United States |
City | Portland |
Period | 6/24/19 → 6/27/19 |
Fingerprint
Keywords
- Denial of Service Attacks
- Proof-of-Work
- Stackelberg Games
- TCP
ASJC Scopus subject areas
- Computer Networks and Communications
- Safety, Risk, Reliability and Quality
- Hardware and Architecture
Cite this
Revisiting Client Puzzles for State Exhaustion Attacks Resilience. / Noureddine, Mohammad A.; Fawaz, Ahmed M.; Hsu, Amanda; Guldner, Cody; Vijay, Sameer; Basar, M Tamer; Sanders, William H.
Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 617-629 8809536 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019).Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Revisiting Client Puzzles for State Exhaustion Attacks Resilience
AU - Noureddine, Mohammad A.
AU - Fawaz, Ahmed M.
AU - Hsu, Amanda
AU - Guldner, Cody
AU - Vijay, Sameer
AU - Basar, M Tamer
AU - Sanders, William H
PY - 2019/6
Y1 - 2019/6
N2 - In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.
AB - In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.
KW - Denial of Service Attacks
KW - Proof-of-Work
KW - Stackelberg Games
KW - TCP
UR - http://www.scopus.com/inward/record.url?scp=85072130825&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85072130825&partnerID=8YFLogxK
U2 - 10.1109/DSN.2019.00067
DO - 10.1109/DSN.2019.00067
M3 - Conference contribution
AN - SCOPUS:85072130825
T3 - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019
SP - 617
EP - 629
BT - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019
PB - Institute of Electrical and Electronics Engineers Inc.
ER -