Revisiting Client Puzzles for State Exhaustion Attacks Resilience

Mohammad A. Noureddine, Ahmed M. Fawaz, Amanda Hsu, Cody Guldner, Sameer Vijay, M Tamer Basar, William H Sanders

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

Original languageEnglish (US)
Title of host publicationProceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages617-629
Number of pages13
ISBN (Electronic)9781728100562
DOIs
StatePublished - Jun 2019
Event49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 - Portland, United States
Duration: Jun 24 2019Jun 27 2019

Publication series

NameProceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

Conference

Conference49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019
CountryUnited States
CityPortland
Period6/24/196/27/19

Fingerprint

Testbeds
Servers
Experiments
Linux

Keywords

  • Denial of Service Attacks
  • Proof-of-Work
  • Stackelberg Games
  • TCP

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality
  • Hardware and Architecture

Cite this

Noureddine, M. A., Fawaz, A. M., Hsu, A., Guldner, C., Vijay, S., Basar, M. T., & Sanders, W. H. (2019). Revisiting Client Puzzles for State Exhaustion Attacks Resilience. In Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 (pp. 617-629). [8809536] (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2019.00067

Revisiting Client Puzzles for State Exhaustion Attacks Resilience. / Noureddine, Mohammad A.; Fawaz, Ahmed M.; Hsu, Amanda; Guldner, Cody; Vijay, Sameer; Basar, M Tamer; Sanders, William H.

Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 617-629 8809536 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Noureddine, MA, Fawaz, AM, Hsu, A, Guldner, C, Vijay, S, Basar, MT & Sanders, WH 2019, Revisiting Client Puzzles for State Exhaustion Attacks Resilience. in Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019., 8809536, Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Institute of Electrical and Electronics Engineers Inc., pp. 617-629, 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Portland, United States, 6/24/19. https://doi.org/10.1109/DSN.2019.00067
Noureddine MA, Fawaz AM, Hsu A, Guldner C, Vijay S, Basar MT et al. Revisiting Client Puzzles for State Exhaustion Attacks Resilience. In Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc. 2019. p. 617-629. 8809536. (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019). https://doi.org/10.1109/DSN.2019.00067
Noureddine, Mohammad A. ; Fawaz, Ahmed M. ; Hsu, Amanda ; Guldner, Cody ; Vijay, Sameer ; Basar, M Tamer ; Sanders, William H. / Revisiting Client Puzzles for State Exhaustion Attacks Resilience. Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 617-629 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019).
@inproceedings{3465dd7e8a894f16aa1f9e58449a7917,
title = "Revisiting Client Puzzles for State Exhaustion Attacks Resilience",
abstract = "In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.",
keywords = "Denial of Service Attacks, Proof-of-Work, Stackelberg Games, TCP",
author = "Noureddine, {Mohammad A.} and Fawaz, {Ahmed M.} and Amanda Hsu and Cody Guldner and Sameer Vijay and Basar, {M Tamer} and Sanders, {William H}",
year = "2019",
month = "6",
doi = "10.1109/DSN.2019.00067",
language = "English (US)",
series = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "617--629",
booktitle = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019",
address = "United States",

}

TY - GEN

T1 - Revisiting Client Puzzles for State Exhaustion Attacks Resilience

AU - Noureddine, Mohammad A.

AU - Fawaz, Ahmed M.

AU - Hsu, Amanda

AU - Guldner, Cody

AU - Vijay, Sameer

AU - Basar, M Tamer

AU - Sanders, William H

PY - 2019/6

Y1 - 2019/6

N2 - In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

AB - In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

KW - Denial of Service Attacks

KW - Proof-of-Work

KW - Stackelberg Games

KW - TCP

UR - http://www.scopus.com/inward/record.url?scp=85072130825&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072130825&partnerID=8YFLogxK

U2 - 10.1109/DSN.2019.00067

DO - 10.1109/DSN.2019.00067

M3 - Conference contribution

AN - SCOPUS:85072130825

T3 - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

SP - 617

EP - 629

BT - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

PB - Institute of Electrical and Electronics Engineers Inc.

ER -