Revisiting Client Puzzles for State Exhaustion Attacks Resilience

Mohammad A. Noureddine; Ahmed M. Fawaz; Amanda Hsu; Cody Guldner; Sameer Vijay; M Tamer Basar; William H Sanders

doi:10.1109/DSN.2019.00067

Revisiting Client Puzzles for State Exhaustion Attacks Resilience

Mohammad A. Noureddine, Ahmed M. Fawaz, Amanda Hsu, Cody Guldner, Sameer Vijay, M Tamer Basar, William H Sanders

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

Original language	English (US)
Title of host publication	Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	617-629
Number of pages	13
ISBN (Electronic)	9781728100562
DOIs	https://doi.org/10.1109/DSN.2019.00067
State	Published - Jun 2019
Event	49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 - Portland, United States Duration: Jun 24 2019 → Jun 27 2019

Publication series

Name	Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

Conference

Conference	49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019
Country	United States
City	Portland
Period	6/24/19 → 6/27/19

Fingerprint

Testbeds

Servers

Experiments

Linux

Keywords

Denial of Service Attacks
Proof-of-Work
Stackelberg Games
TCP

ASJC Scopus subject areas

Computer Networks and Communications
Safety, Risk, Reliability and Quality
Hardware and Architecture

Cite this

Noureddine, M. A., Fawaz, A. M., Hsu, A., Guldner, C., Vijay, S., Basar, M. T., & Sanders, W. H. (2019). Revisiting Client Puzzles for State Exhaustion Attacks Resilience. In Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 (pp. 617-629). [8809536] (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN.2019.00067

Revisiting Client Puzzles for State Exhaustion Attacks Resilience. / Noureddine, Mohammad A.; Fawaz, Ahmed M.; Hsu, Amanda; Guldner, Cody; Vijay, Sameer; Basar, M Tamer ; Sanders, William H.

Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 617-629 8809536 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Noureddine, MA, Fawaz, AM, Hsu, A, Guldner, C, Vijay, S, Basar, MT & Sanders, WH 2019, Revisiting Client Puzzles for State Exhaustion Attacks Resilience. in Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019., 8809536, Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Institute of Electrical and Electronics Engineers Inc., pp. 617-629, 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019, Portland, United States, 6/24/19. https://doi.org/10.1109/DSN.2019.00067

Noureddine MA, Fawaz AM, Hsu A, Guldner C, Vijay S, Basar MT et al. Revisiting Client Puzzles for State Exhaustion Attacks Resilience. In Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc. 2019. p. 617-629. 8809536. (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019). https://doi.org/10.1109/DSN.2019.00067

Noureddine, Mohammad A. ; Fawaz, Ahmed M. ; Hsu, Amanda ; Guldner, Cody ; Vijay, Sameer ; Basar, M Tamer ; Sanders, William H. / Revisiting Client Puzzles for State Exhaustion Attacks Resilience. Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 617-629 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019).

@inproceedings{3465dd7e8a894f16aa1f9e58449a7917,

title = "Revisiting Client Puzzles for State Exhaustion Attacks Resilience",

abstract = "In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.",

keywords = "Denial of Service Attacks, Proof-of-Work, Stackelberg Games, TCP",

author = "Noureddine, {Mohammad A.} and Fawaz, {Ahmed M.} and Amanda Hsu and Cody Guldner and Sameer Vijay and Basar, {M Tamer} and Sanders, {William H}",

year = "2019",

month = "6",

doi = "10.1109/DSN.2019.00067",

language = "English (US)",

series = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "617--629",

booktitle = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019",

address = "United States",

}

TY - GEN

T1 - Revisiting Client Puzzles for State Exhaustion Attacks Resilience

AU - Noureddine, Mohammad A.

AU - Fawaz, Ahmed M.

AU - Hsu, Amanda

AU - Guldner, Cody

AU - Vijay, Sameer

AU - Basar, M Tamer

AU - Sanders, William H

PY - 2019/6

Y1 - 2019/6

N2 - In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

AB - In this paper, we address the challenges facing the adoption of client puzzles as a means to protect the TCP connection establishment channel from state exhaustion DDoS attacks. We model the problem of selecting the puzzle difficulties as a Stackelberg game with the server as the leader and the clients as the followers and obtain the equilibrium solution for the puzzle difficulty. We then present an implementation of client puzzles inside the TCP stack of the Linux 4.13.0 kernel. We evaluate the performance of our implementation and the obtained solution against a range of attacks through reproducible experiments on the DETER testbed. Our results show that client puzzles are effective at boosting the tolerance of the TCP handshake channel to state exhaustion DDoS attacks by rate limiting malicious attackers while allocating resources for legitimate clients.

KW - Denial of Service Attacks

KW - Proof-of-Work

KW - Stackelberg Games

KW - TCP

UR - http://www.scopus.com/inward/record.url?scp=85072130825&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072130825&partnerID=8YFLogxK

U2 - 10.1109/DSN.2019.00067

DO - 10.1109/DSN.2019.00067

M3 - Conference contribution

AN - SCOPUS:85072130825

T3 - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

SP - 617

EP - 629

BT - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019

PB - Institute of Electrical and Electronics Engineers Inc.

ER -

Access to Document

10.1109/DSN.2019.00067